diff options
Diffstat (limited to 'docs/htmldocs/Samba3-HOWTO')
147 files changed, 0 insertions, 35686 deletions
diff --git a/docs/htmldocs/Samba3-HOWTO/AccessControls.html b/docs/htmldocs/Samba3-HOWTO/AccessControls.html deleted file mode 100644 index 65fc30afe0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/AccessControls.html +++ /dev/null @@ -1,913 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. File, Directory, and Share Access Controls</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="rights.html" title="Chapter 15. User Rights and Privileges"><link rel="next" href="locking.html" title="Chapter 17. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. File, Directory, and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 16. File, Directory, and Share Access Controls"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 16. File, Directory, and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AccessControls.html#id378519">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id378687">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379000">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379121">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id379717">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id379748">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380091">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380402">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id380718">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380854">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381176">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381222">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381286">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381416">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381607">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381747">Interaction with the Standard Samba <span class="quote">“<span class="quote">create mask</span>”</span> Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382083">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382146">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382508">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382826">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id378368"></a> -<a class="indexterm" name="id378374"></a> -<a class="indexterm" name="id378381"></a> -<a class="indexterm" name="id378388"></a> -Advanced MS Windows users are frequently perplexed when file, directory, and share manipulation of -resources shared via Samba do not behave in the manner they might expect. MS Windows network -administrators are often confused regarding network access controls and how to -provide users with the access they need while protecting resources from unauthorized access. -</p><p> -<a class="indexterm" name="id378401"></a> -<a class="indexterm" name="id378408"></a> -Many UNIX administrators are unfamiliar with the MS Windows environment and in particular -have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file -and directory access permissions. -</p><p> -<a class="indexterm" name="id378420"></a> -<a class="indexterm" name="id378427"></a> -<a class="indexterm" name="id378434"></a> -<a class="indexterm" name="id378440"></a> -The problem lies in the differences in how file and directory permissions and controls work -between the two environments. This difference is one that Samba cannot completely hide, even -though it does try to bridge the chasm to a degree. -</p><p> -<a class="indexterm" name="id378451"></a> -<a class="indexterm" name="id378458"></a> -<a class="indexterm" name="id378467"></a> -<a class="indexterm" name="id378474"></a> -POSIX Access Control List technology has been available (along with extended attributes) -for UNIX for many years, yet there is little evidence today of any significant use. This -explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows -administrators are astounded at this, given that ACLs were a foundational capability of the now -decade-old MS Windows NT operating system. -</p><p> -<a class="indexterm" name="id378488"></a> -The purpose of this chapter is to present each of the points of control that are possible with -Samba-3 in the hope that this will help the network administrator to find the optimum method -for delivering the best environment for MS Windows desktop users. -</p><p> -<a class="indexterm" name="id378500"></a> -<a class="indexterm" name="id378507"></a> -This is an opportune point to mention that Samba was created to provide a means of interoperability -and interchange of data between differing operating environments. Samba has no intent to change -UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient -level of exchange of data between the two environments. What is available today extends well -beyond early plans and expectations, yet the gap continues to shrink. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id378519"></a>Features and Benefits</h2></div></div></div><p> - Samba offers much flexibility in file system access management. These are the key access control - facilities present in Samba today: - </p><div class="itemizedlist" title="Samba Access Control Facilities"><p class="title"><b>Samba Access Control Facilities</b></p><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id378538"></a> - <span class="emphasis"><em>UNIX File and Directory Permissions</em></span> - </p><p> -<a class="indexterm" name="id378554"></a> -<a class="indexterm" name="id378561"></a> -<a class="indexterm" name="id378568"></a> - Samba honors and implements UNIX file system access controls. Users - who access a Samba server will do so as a particular MS Windows user. - This information is passed to the Samba server as part of the logon or - connection setup process. Samba uses this user identity to validate - whether or not the user should be given access to file system resources - (files and directories). This chapter provides an overview for those - to whom the UNIX permissions and controls are a little strange or unknown. - </p></li><li class="listitem"><p> - <span class="emphasis"><em>Samba Share Definitions</em></span> - </p><p> -<a class="indexterm" name="id378591"></a> - In configuring share settings and controls in the <code class="filename">smb.conf</code> file, - the network administrator can exercise overrides to native file - system permissions and behaviors. This can be handy and convenient - to effect behavior that is more like what MS Windows NT users expect, - but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this. - The basic options and techniques are described herein. - </p></li><li class="listitem"><p> - <span class="emphasis"><em>Samba Share ACLs</em></span> - <a class="indexterm" name="id378619"></a> - </p><p> -<a class="indexterm" name="id378632"></a> - Just as it is possible in MS Windows NT to set ACLs on shares - themselves, so it is possible to do in Samba. - Few people make use of this facility, yet it remains one of the - easiest ways to affect access controls (restrictions) and can often - do so with minimum invasiveness compared with other methods. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id378646"></a> - <a class="indexterm" name="id378656"></a> - <span class="emphasis"><em>MS Windows ACLs through UNIX POSIX ACLs</em></span> - </p><p> -<a class="indexterm" name="id378672"></a> - The use of POSIX ACLs on UNIX/Linux is possible only if the underlying - operating system supports them. If not, then this option will not be - available to you. Current UNIX technology platforms have native support - for POSIX ACLs. There are patches for the Linux kernel that also provide - this support. Sadly, few Linux platforms ship today with native ACLs and - extended attributes enabled. This chapter has pertinent information - for users of platforms that support them. - </p></li></ul></div></div><div class="sect1" title="File System Access Controls"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id378687"></a>File System Access Controls</h2></div></div></div><p> -Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP -implement a totally divergent file system technology from what is provided in the UNIX operating system -environment. First we consider what the most significant differences are, then we look -at how Samba helps to bridge the differences. -</p><div class="sect2" title="MS Windows NTFS Comparison with UNIX File Systems"><div class="titlepage"><div><div><h3 class="title"><a name="id378699"></a>MS Windows NTFS Comparison with UNIX File Systems</h3></div></div></div><p> - <a class="indexterm" name="id378707"></a> - <a class="indexterm" name="id378714"></a> - <a class="indexterm" name="id378720"></a> - <a class="indexterm" name="id378730"></a> - Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions - and permissions. It also means that if the MS Windows networking environment requires file system - behavior, that differs from UNIX file system behavior then somehow Samba is responsible for emulating - that in a transparent and consistent manner. - </p><p> - It is good news that Samba does this to a large extent, and on top of that, provides a high degree - of optional configuration to override the default behavior. We look at some of these overrides, - but for the greater part we stay within the bounds of default behavior. Those wishing to explore - the depths of control ability should review the <code class="filename">smb.conf</code> man page. - </p><p>The following compares file system features for UNIX with those of MS Windows NT/200x: - <a class="indexterm" name="id378761"></a> - - </p><div class="variablelist"><dl><dt><span class="term">Name Space</span></dt><dd><p> - MS Windows NT4/200x/XP file names may be up to 254 characters long, and UNIX file names - may be 1023 characters long. In MS Windows, file extensions indicate particular file types; - in UNIX this is not so rigorously observed because all names are considered arbitrary. - </p><p> - What MS Windows calls a folder, UNIX calls a directory. - </p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p> - <a class="indexterm" name="id378803"></a> - <a class="indexterm" name="id378810"></a> - MS Windows file names are generally uppercase if made up of 8.3 (8-character file name - and 3 character extension. File names that are longer than 8.3 are case preserving and case - insensitive. - </p><p> - UNIX file and directory names are case sensitive and case preserving. Samba implements the - MS Windows file name behavior, but it does so as a user application. The UNIX file system - provides no mechanism to perform case-insensitive file name lookups. MS Windows does this - by default. This means that Samba has to carry the processing overhead to provide features - that are not native to the UNIX operating system environment. - </p><p> - Consider the following. All are unique UNIX names but one single MS Windows file name: - </p><pre class="screen"> - MYFILE.TXT - MyFile.txt - myfile.txt - </pre><p> - So clearly, in an MS Windows file namespace these three files cannot co-exist, but in UNIX - they can. - </p><p> - So what should Samba do if all three are present? That which is lexically first will be - accessible to MS Windows users; the others are invisible and unaccessible any - other solution would be suicidal. The Windows client will ask for a case-insensitive file - lookup, and that is the reason for which Samba must offer a consistent selection in the - event that the UNIX directory contains multiple files that would match a case insensitive - file listing. - </p></dd><dt><span class="term">Directory Separators</span></dt><dd><p> - <a class="indexterm" name="id378863"></a> - MS Windows and DOS use the backslash <code class="constant">\</code> as a directory delimiter, and UNIX uses - the forward-slash <code class="constant">/</code> as its directory delimiter. This is handled transparently by Samba. - </p></dd><dt><span class="term">Drive Identification</span></dt><dd><p> - <a class="indexterm" name="id378888"></a> - MS Windows products support a notion of drive letters, like <code class="literal">C:</code>, to represent - disk partitions. UNIX has no concept of separate identifiers for file partitions; each - such file system is mounted to become part of the overall directory tree. - The UNIX directory tree begins at <code class="constant">/</code> just as the root of a DOS drive is specified as - <code class="constant">C:\</code>. - </p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p> - <a class="indexterm" name="id378922"></a> - MS Windows generally never experiences file names that begin with a dot (<code class="constant">.</code>), while in UNIX these - are commonly found in a user's home directory. Files that begin with a dot (<code class="constant">.</code>) are typically - startup files for various UNIX applications, or they may be files that contain - startup configuration data. - </p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p> - <a class="indexterm" name="id378949"></a> - <a class="indexterm" name="id378958"></a> - <a class="indexterm" name="id378967"></a> - MS Windows make use of <span class="emphasis"><em>links and shortcuts</em></span> that are actually special types of files that will - redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory - links, but they are entirely different from what MS Windows users are used to. - </p><p> - Symbolic links are files in UNIX that contain the actual location of the data (file or directory). An - operation (like read or write) will operate directly on the file referenced. Symbolic links are also - referred to as <span class="quote">“<span class="quote">soft links.</span>”</span> A hard link is something that MS Windows is not familiar with. It allows - one physical file to be known simultaneously by more than one file name. - </p></dd></dl></div><p> - There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort - in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the - purpose of UNIX/Linux training and education. - </p></div><div class="sect2" title="Managing Directories"><div class="titlepage"><div><div><h3 class="title"><a name="id379000"></a>Managing Directories</h3></div></div></div><p> -<a class="indexterm" name="id379007"></a> -<a class="indexterm" name="id379014"></a> -<a class="indexterm" name="id379021"></a> - There are three basic operations for managing directories: <code class="literal">create</code>, <code class="literal">delete</code>, - <code class="literal">rename</code>. <a class="link" href="AccessControls.html#TOSH-Accesstbl" title="Table 16.1. Managing Directories with UNIX and Windows">Managing Directories with UNIX and - Windows</a> compares the commands in Windows and UNIX that implement these operations. - </p><div class="table"><a name="TOSH-Accesstbl"></a><p class="title"><b>Table 16.1. Managing Directories with UNIX and Windows</b></p><div class="table-contents"><table summary="Managing Directories with UNIX and Windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">UNIX Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="File and Directory Access Control"><div class="titlepage"><div><div><h3 class="title"><a name="id379121"></a>File and Directory Access Control</h3></div></div></div><p> - <a class="indexterm" name="id379129"></a> -<a class="indexterm" name="id379138"></a> -<a class="indexterm" name="id379145"></a> - The network administrator is strongly advised to read basic UNIX training manuals and reference materials - regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions - without having to resort to more complex facilities like POSIX ACLs or extended attributes (EAs). - </p><p> - UNIX/Linux file and directory access permissions involves setting three primary sets of data and one control set. - A UNIX file listing looks as follows: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>ls -la</code></strong> -total 632 -drwxr-xr-x 13 maryo gnomes 816 2003-05-12 22:56 . -drwxrwxr-x 37 maryo gnomes 3800 2003-05-12 22:29 .. -dr-xr-xr-x 2 maryo gnomes 48 2003-05-12 22:29 muchado02 -drwxrwxrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado03 -drw-rw-rw- 2 maryo gnomes 48 2003-05-12 22:29 muchado04 -d-w--w--w- 2 maryo gnomes 48 2003-05-12 22:29 muchado05 -dr--r--r-- 2 maryo gnomes 48 2003-05-12 22:29 muchado06 -drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 ----------- 1 maryo gnomes 1242 2003-05-12 22:31 mydata00.lst ---w--w--w- 1 maryo gnomes 7754 2003-05-12 22:33 mydata02.lst --r--r--r-- 1 maryo gnomes 21017 2003-05-12 22:32 mydata04.lst --rw-rw-rw- 1 maryo gnomes 41105 2003-05-12 22:32 mydata06.lst -<code class="prompt">$ </code> -</pre><p> - </p><p> - The columns represent (from left to right) permissions, number of hard links to file, owner, group, size - (bytes), access date, time of last modification, and file name. - </p><p> - An overview of the permissions field is shown in <a class="link" href="AccessControls.html#access1" title="Figure 16.1. Overview of UNIX permissions field.">Overview of UNIX permissions - field</a>. - </p><div class="figure"><a name="access1"></a><p class="title"><b>Figure 16.1. Overview of UNIX permissions field.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/access1.png" width="216" alt="Overview of UNIX permissions field."></div></div></div><br class="figure-break"><p> - Any bit flag may be unset. An unset bit flag is the equivalent of "cannot" and is represented - as a <span class="quote">“<span class="quote">-</span>”</span> character (see <a class="link" href="AccessControls.html#access2" title="Example 16.1. Example File">“Example File”</a>) -<a class="indexterm" name="id379258"></a> -<a class="indexterm" name="id379265"></a> -<a class="indexterm" name="id379272"></a> -<a class="indexterm" name="id379279"></a> -<a class="indexterm" name="id379285"></a> -<a class="indexterm" name="id379292"></a> - </p><div class="example"><a name="access2"></a><p class="title"><b>Example 16.1. Example File</b></p><div class="example-contents"><pre class="programlisting"> --rwxr-x--- Means: - ^^^ The owner (user) can read, write, execute - ^^^ the group can read and execute - ^^^ everyone else cannot do anything with it. -</pre></div></div><br class="example-break"><p> -<a class="indexterm" name="id379320"></a> -<a class="indexterm" name="id379326"></a> -<a class="indexterm" name="id379333"></a> -<a class="indexterm" name="id379340"></a> - Additional possibilities in the [type] field are c = character device, b = block device, p = pipe device, - s = UNIX Domain Socket. - </p><p> -<a class="indexterm" name="id379351"></a> -<a class="indexterm" name="id379358"></a> -<a class="indexterm" name="id379365"></a> -<a class="indexterm" name="id379372"></a> -<a class="indexterm" name="id379378"></a> - The letters <code class="constant">rwxXst</code> set permissions for the user, group, and others as read (r), write (w), - execute (or access for directories) (x), execute only if the file is a directory or already has execute - permission for some user (X), set user (SUID) or group ID (SGID) on execution (s), sticky (t). - </p><p> -<a class="indexterm" name="id379395"></a> -<a class="indexterm" name="id379402"></a> -<a class="indexterm" name="id379408"></a> -<a class="indexterm" name="id379415"></a> - When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. - Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on - directories, such as <code class="filename">/tmp</code>, that are world-writable. - </p><p> -<a class="indexterm" name="id379434"></a> -<a class="indexterm" name="id379441"></a> -<a class="indexterm" name="id379447"></a> -<a class="indexterm" name="id379454"></a> -<a class="indexterm" name="id379463"></a> - When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or - group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that - all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file - to be exclusively owned by a user whose primary group is not the group that all such users belong to. - </p><p> - When a directory is set <code class="constant">d-wx--x---</code>, the owner can read and create (write) files in it, but because - the (r) read flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the - directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then - group members will be able to write to (or delete) them. - </p><div class="sect3" title="Protecting Directories and Files from Deletion"><div class="titlepage"><div><div><h4 class="title"><a name="id379488"></a>Protecting Directories and Files from Deletion</h4></div></div></div><p> -<a class="indexterm" name="id379496"></a> -<a class="indexterm" name="id379503"></a> -<a class="indexterm" name="id379510"></a> -<a class="indexterm" name="id379516"></a> - People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. - For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can - write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to - but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system - anyone who has the ability to create a file can write to it. Anyone who has write permission on the - directory that contains a file and has write permission for it has the capability to delete it. - </p><p> -<a class="indexterm" name="id379532"></a> -<a class="indexterm" name="id379539"></a> -<a class="indexterm" name="id379546"></a> - For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on - the directory that the file is in. In other words, a user can delete a file in a directory to which that - user has write access, even if that user does not own the file. - </p><p> -<a class="indexterm" name="id379558"></a> -<a class="indexterm" name="id379565"></a> -<a class="indexterm" name="id379572"></a> -<a class="indexterm" name="id379579"></a> - Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore - limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs - a "best fit" translation to POSIX ACLs. Some UNIX file systems do, however support, a feature known - as extended attributes. Only the Windows concept of <span class="emphasis"><em>inheritance</em></span> is implemented by Samba through - the appropriate extended attribute. - </p><p> -<a class="indexterm" name="id379600"></a> -<a class="indexterm" name="id379606"></a> -<a class="indexterm" name="id379613"></a> -<a class="indexterm" name="id379620"></a> - The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux. - For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory - or file from being deleted. The extended attribute that may achieve this is called the <code class="constant">immutable</code> bit. - Unfortunately, the implementation of the immutable flag is NOT consistent with published documentation. For example, the - man page for the <code class="literal">chattr</code> on SUSE Linux 9.2 says: -</p><pre class="screen"> -A file with the i attribute cannot be modified: it cannot be deleted -or renamed, no link can be created to this file and no data can be -written to the file. Only the superuser or a process possessing the -CAP_LINUX_IMMUTABLE capability can set or clear this attribute. -</pre><p> - A simple test can be done to check if the immutable flag is supported on files in the file system of the Samba host - server. - </p><div class="procedure" title="Procedure 16.1. Test for File Immutibility Support"><a name="id379651"></a><p class="title"><b>Procedure 16.1. Test for File Immutibility Support</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Create a file called <code class="filename">filename</code>. - </p></li><li class="step" title="Step 2"><p> - Login as the <code class="constant">root</code> user, then set the immutibile flag on a test file as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> chattr +i `filename' -</pre><p> - </p></li><li class="step" title="Step 3"><p> - Login as the user who owns the file (not root) and attempt to remove the file as follows: -</p><pre class="screen"> -mystic:/home/hannibal > rm filename -</pre><p> - It will not be possible to delete the file if the immutable flag is correctly honored. - </p></li></ol></div><p> - On operating systems and file system types that support the immutable bit, it is possible to create directories - that cannot be deleted. Check the man page on your particular host system to determine whether or not - immutable directories are writable. If they are not, then the entire directory and its contents will effectively - be protected from writing (file creation also) and deletion. - </p></div></div></div><div class="sect1" title="Share Definition Access Controls"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id379717"></a>Share Definition Access Controls</h2></div></div></div><p> - <a class="indexterm" name="id379725"></a> - The following parameters in the <code class="filename">smb.conf</code> file sections define a share control or affect access controls. - Before using any of the following options, please refer to the man page for <code class="filename">smb.conf</code>. - </p><div class="sect2" title="User- and Group-Based Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id379748"></a>User- and Group-Based Controls</h3></div></div></div><p> - User- and group-based controls can prove quite useful. In some situations it is distinctly desirable to - force all file system operations as if a single user were doing so. The use of the - <a class="link" href="smb.conf.5.html#FORCEUSER" target="_top">force user</a> and <a class="link" href="smb.conf.5.html#FORCEGROUP" target="_top">force group</a> behavior will achieve this. - In other situations it may be necessary to use a paranoia level of control to ensure that only particular - authorized persons will be able to access a share or its contents. Here the use of the - <a class="link" href="smb.conf.5.html#VALIDUSERS" target="_top">valid users</a> or the <a class="link" href="smb.conf.5.html#INVALIDUSERS" target="_top">invalid users</a> parameter may be useful. - </p><p> - As always, it is highly advisable to use the easiest to maintain and the least ambiguous method for - controlling access. Remember, when you leave the scene, someone else will need to provide assistance, and - if he or she finds too great a mess or does not understand what you have done, there is risk of - Samba being removed and an alternative solution being adopted. - </p><p> - <a class="link" href="AccessControls.html#ugbc" title="Table 16.2. User- and Group-Based Controls">User and Group Based Controls</a> enumerates these controls. - </p><div class="table"><a name="ugbc"></a><p class="title"><b>Table 16.2. User- and Group-Based Controls</b></p><div class="table-contents"><table summary="User- and Group-Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description, Action, Notes</th></tr></thead><tbody><tr><td align="left"><a class="link" href="smb.conf.5.html#ADMINUSERS" target="_top">admin users</a></td><td align="justify"><p> - List of users who will be granted administrative privileges on the share. - They will do all file operations as the superuser (root). - Users in this list will be able to do anything they like on the share, - irrespective of file permissions. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#FORCEGROUP" target="_top">force group</a></td><td align="justify"><p> - Specifies a UNIX group name that will be assigned as the default primary group - for all users connecting to this service. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#FORCEUSER" target="_top">force user</a></td><td align="justify"><p> - Specifies a UNIX username that will be assigned as the default user for all users connecting to this service. - This is useful for sharing files. Incorrect use can cause security problems. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#GUESTOK" target="_top">guest ok</a></td><td align="justify"><p> - If this parameter is set for a service, then no password is required to connect to the service. Privileges will be - those of the guest account. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#INVALIDUSERS" target="_top">invalid users</a></td><td align="justify"><p> - List of users that should not be allowed to login to this service. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#ONLYUSER" target="_top">only user</a></td><td align="justify"><p> - Controls whether connections with usernames not in the user list will be allowed. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#READLIST" target="_top">read list</a></td><td align="justify"><p> - List of users that are given read-only access to a service. Users in this list - will not be given write access, no matter what the read-only option is set to. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#USERNAME" target="_top">username</a></td><td align="justify"><p> - Refer to the <code class="filename">smb.conf</code> man page for more information; this is a complex and potentially misused parameter. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#VALIDUSERS" target="_top">valid users</a></td><td align="justify"><p> - List of users that should be allowed to login to this service. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#WRITELIST" target="_top">write list</a></td><td align="justify"><p> - List of users that are given read-write access to a service. - </p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="File and Directory Permissions-Based Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id380091"></a>File and Directory Permissions-Based Controls</h3></div></div></div><p> - Directory permission-based controls, if misused, can result in considerable difficulty in diagnosing the causes of - misconfiguration. Use them sparingly and carefully. By gradually introducing each, one at a time, undesirable side - effects may be detected. In the event of a problem, always comment all of them out and then gradually reintroduce - them in a controlled way. - </p><p> - Refer to <a class="link" href="AccessControls.html#fdpbc" title="Table 16.3. File and Directory Permission-Based Controls">File and Directory Permission Based Controls</a> for information - regarding the parameters that may be used to set file and directory permission-based access controls. - </p><div class="table"><a name="fdpbc"></a><p class="title"><b>Table 16.3. File and Directory Permission-Based Controls</b></p><div class="table-contents"><table summary="File and Directory Permission-Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description, Action, Notes</th></tr></thead><tbody><tr><td align="left"><a class="link" href="smb.conf.5.html#CREATEMASK" target="_top">create mask</a></td><td align="justify"><p> - Refer to the <code class="filename">smb.conf</code> man page. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#DIRECTORYMASK" target="_top">directory mask</a></td><td align="justify"><p> - The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. - See also directory security mask. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#DOSFILEMODE" target="_top">dos filemode</a></td><td align="justify"><p> - Enabling this parameter allows a user who has write access to the file to modify the permissions on it. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#FORCECREATEMODE" target="_top">force create mode</a></td><td align="justify"><p> - This parameter specifies a set of UNIX-mode bit permissions that will always be set on a file created by Samba. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#FORCEDIRECTORYMODE" target="_top">force directory mode</a></td><td align="justify"><p> - This parameter specifies a set of UNIX-mode bit permissions that will always be set on a directory created by Samba. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#FORCEDIRECTORYSECURITYMODE" target="_top">force directory security mode</a></td><td align="justify"><p> - Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#FORCESECURITYMODE" target="_top">force security mode</a></td><td align="justify"><p> - Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#HIDEUNREADABLE" target="_top">hide unreadable</a></td><td align="justify"><p> - Prevents clients from seeing the existence of files that cannot be read. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#HIDEUNWRITEABLEFILES" target="_top">hide unwriteable files</a></td><td align="justify"><p> - Prevents clients from seeing the existence of files that cannot be written to. Unwritable directories are shown as usual. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support</a></td><td align="justify"><p> - This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT ACLs. - </p></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#SECURITYMASK" target="_top">security mask</a></td><td align="justify"><p> - Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. - </p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="Miscellaneous Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id380402"></a>Miscellaneous Controls</h3></div></div></div><p> - The parameters documented in <a class="link" href="AccessControls.html#mcoc" title="Table 16.4. Other Controls">Other Controls</a> are often used by administrators - in ways that create inadvertent barriers to file access. Such are the consequences of not understanding the - full implications of <code class="filename">smb.conf</code> file settings. - </p><div class="table"><a name="mcoc"></a><p class="title"><b>Table 16.4. Other Controls</b></p><div class="table-contents"><table summary="Other Controls" border="1"><colgroup><col align="justify"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description, Action, Notes</th></tr></thead><tbody><tr><td align="justify"> - <a class="link" href="smb.conf.5.html#CASESENSITIVE" target="_top">case sensitive</a>, - <a class="link" href="smb.conf.5.html#DEFAULTCASE" target="_top">default case</a>, - <a class="link" href="smb.conf.5.html#SHORTPRESERVECASE" target="_top">short preserve case</a> - </td><td align="justify"><p> - This means that all file name lookup will be done in a case-sensitive manner. - Files will be created with the precise file name Samba received from the MS Windows client. - </p></td></tr><tr><td align="justify"><a class="link" href="smb.conf.5.html#CSCPOLICY" target="_top">csc policy</a></td><td align="justify"><p> - Client-side caching policy parallels MS Windows client-side file caching capabilities. - </p></td></tr><tr><td align="justify"><a class="link" href="smb.conf.5.html#DONTDESCEND" target="_top">dont descend</a></td><td align="justify"><p> - Allows specifying a comma-delimited list of directories that the server should always show as empty. - </p></td></tr><tr><td align="justify"><a class="link" href="smb.conf.5.html#DOSFILETIMERESOLUTION" target="_top">dos filetime resolution</a></td><td align="justify"><p> - This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. - </p></td></tr><tr><td align="justify"><a class="link" href="smb.conf.5.html#DOSFILETIMES" target="_top">dos filetimes</a></td><td align="justify"><p> - DOS and Windows allow users to change file timestamps if they can write to the file. POSIX semantics prevent this. - This option allows DOS and Windows behavior. - </p></td></tr><tr><td align="justify"><a class="link" href="smb.conf.5.html#FAKEOPLOCKS" target="_top">fake oplocks</a></td><td align="justify"><p> - Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an - oplock, the client is free to assume that it is the only one accessing the file, and it will aggressively cache file data. - </p></td></tr><tr><td align="justify"> - <a class="link" href="smb.conf.5.html#HIDEDOTFILES" target="_top">hide dot files</a>, - <a class="link" href="smb.conf.5.html#HIDEFILES" target="_top">hide files</a>, - <a class="link" href="smb.conf.5.html#VETOFILES" target="_top">veto files</a> - </td><td align="justify"><p> - Note: MS Windows Explorer allows override of files marked as hidden so they will still be visible. - </p></td></tr><tr><td align="justify"><a class="link" href="smb.conf.5.html#READONLY" target="_top">read only</a></td><td align="justify"><p> - If this parameter is yes, then users of a service may not create or modify files in the service's directory. - </p></td></tr><tr><td align="justify"><a class="link" href="smb.conf.5.html#VETOFILES" target="_top">veto files</a></td><td align="justify"><p> - List of files and directories that are neither visible nor accessible. - </p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" title="Access Controls on Shares"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id380718"></a>Access Controls on Shares</h2></div></div></div><p> -<a class="indexterm" name="id380726"></a> -<a class="indexterm" name="id380732"></a> -<a class="indexterm" name="id380739"></a> -<a class="indexterm" name="id380746"></a> - <a class="indexterm" name="id380753"></a> - This section deals with how to configure Samba per-share access control restrictions. - By default, Samba sets no restrictions on the share itself. Restrictions on the share itself - can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can - connect to a share. In the absence of specific restrictions, the default setting is to allow - the global user <code class="constant">Everyone - Full Control</code> (full control, change and read). - </p><p> -<a class="indexterm" name="id380772"></a> -<a class="indexterm" name="id380779"></a> -<a class="indexterm" name="id380786"></a> - At this time Samba does not provide a tool for configuring access control settings on the share - itself. The only way to create those settings is to use either the NT4 Server Manager or the Windows 200x - Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide - this capability in the Samba command-line tool set. - </p><p> -<a class="indexterm" name="id380799"></a> -<a class="indexterm" name="id380806"></a> -<a class="indexterm" name="id380812"></a> -<a class="indexterm" name="id380819"></a> - Samba stores the per-share access control settings in a file called <code class="filename">share_info.tdb</code>. - The location of this file on your system will depend on how Samba was compiled. The default location - for Samba's tdb files is under <code class="filename">/usr/local/samba/var</code>. If the <code class="filename">tdbdump</code> - utility has been compiled and installed on your system, then you can examine the contents of this file - by executing <code class="literal">tdbdump share_info.tdb</code> in the directory containing the tdb files. - </p><div class="sect2" title="Share Permissions Management"><div class="titlepage"><div><div><h3 class="title"><a name="id380854"></a>Share Permissions Management</h3></div></div></div><p> - The best tool for share permissions management is platform-dependent. Choose the best tool for your environment. - </p><div class="sect3" title="Windows NT4 Workstation/Server"><div class="titlepage"><div><div><h4 class="title"><a name="id380864"></a>Windows NT4 Workstation/Server</h4></div></div></div><p> -<a class="indexterm" name="id380872"></a> -<a class="indexterm" name="id380879"></a> -<a class="indexterm" name="id380885"></a> -<a class="indexterm" name="id380892"></a> - The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server - is the NT Server Manager. Server Manager is shipped with Windows NT4 Server products but not with Windows - NT4 Workstation. You can obtain the NT Server Manager for MS Windows NT4 Workstation from the Microsoft - web site <a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673" target="_top">support</a> section. - </p><div class="procedure" title="Procedure 16.2. Instructions"><a name="id380909"></a><p class="title"><b>Procedure 16.2. Instructions</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Launch the <span class="application">NT4 Server Manager</span> and click on the Samba server you want to - administer. From the menu select <span class="guimenu">Computer</span>, then click on - <span class="guimenuitem">Shared Directories</span>. - </p></li><li class="step" title="Step 2"><p> - Click on the share that you wish to manage and click the <span class="guilabel">Properties</span> tab, then click - the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish. - </p></li></ol></div></div><div class="sect3" title="Windows 200x/XP"><div class="titlepage"><div><div><h4 class="title"><a name="id380962"></a>Windows 200x/XP</h4></div></div></div><p> -<a class="indexterm" name="id380970"></a> -<a class="indexterm" name="id380977"></a> -<a class="indexterm" name="id380984"></a> -<a class="indexterm" name="id380990"></a> - On <span class="application">MS Windows NT4/200x/XP</span> systems, ACLs on the share itself are set using - tools like the MS Explorer. For example, in Windows 200x, right-click on the shared folder, - then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default - Windows NT4/200x permissions allow the group "Everyone" full control on the share. - </p><p> -<a class="indexterm" name="id381021"></a> -<a class="indexterm" name="id381028"></a> -<a class="indexterm" name="id381034"></a> - MS Windows 200x and later versions come with a tool called the <span class="application">Computer Management</span> - snap-in for the MMC. This tool can be accessed via <span class="guimenu">Control Panel -> - Administrative Tools -> Computer Management</span>. - </p><div class="procedure" title="Procedure 16.3. Instructions"><a name="id381056"></a><p class="title"><b>Procedure 16.3. Instructions</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - After launching the MMC with the Computer Management snap-in, click the menu item <span class="guimenuitem">Action</span> - and select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted - to enter a domain login user identifier and a password. This will authenticate you to the domain. - If you are already logged in with administrative privilege, this step is not offered. - </p></li><li class="step" title="Step 2"><p> - If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, type in the name of the target - Samba server in the field <span class="guilabel">Name:</span>. Now click the on <span class="guibutton">[+]</span> next to - <span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to - <span class="guilabel">Shared Folders</span> in the left panel. - </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id381132"></a> - In the right panel, double-click on the share on which you wish to set access control permissions. - Then click the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities - to the shared folder. Remember to set what type of access (full control, change, read) you - wish to assign for each entry. - </p></li></ol></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - Be careful. If you take away all permissions from the <code class="constant">Everyone</code> user without removing - this user, effectively no user will be able to access the share. This is a result of what is known as - ACL precedence. Everyone with <span class="emphasis"><em>no access</em></span> means that <code class="constant">MaryK</code> who is - part of the group <code class="constant">Everyone</code> will have no access even if she is given explicit full - control access. - </p></div></div></div></div><div class="sect1" title="MS Windows Access Control Lists and UNIX Interoperability"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id381176"></a>MS Windows Access Control Lists and UNIX Interoperability</h2></div></div></div><div class="sect2" title="Managing UNIX Permissions Using NT Security Dialogs"><div class="titlepage"><div><div><h3 class="title"><a name="id381182"></a>Managing UNIX Permissions Using NT Security Dialogs</h3></div></div></div><p> - <a class="indexterm" name="id381190"></a> - Windows NT clients can use their native security settings dialog box to view and modify the - underlying UNIX permissions. - </p><p> - This ability is careful not to compromise the security of the UNIX host on which Samba is running and - still obeys all the file permission rules that a Samba administrator can set. - </p><p> - Samba does not attempt to go beyond POSIX ACLs, so the various finer-grained access control - options provided in Windows are actually ignored. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls. - When trying to figure out file access problems, it is vitally important to find the identity of the Windows - user as it is presented by Samba at the point of file access. This can best be determined from the - Samba log files. - </p></div></div><div class="sect2" title="Viewing File Security on a Samba Share"><div class="titlepage"><div><div><h3 class="title"><a name="id381222"></a>Viewing File Security on a Samba Share</h3></div></div></div><p> - From an NT4/2000/XP client, right-click on any file or directory in a Samba-mounted drive letter - or UNC path. When the menu pops up, click on the <span class="guilabel">Properties</span> entry at the bottom - of the menu. This brings up the file <code class="constant">Properties</code> dialog box. Click on the - <span class="guilabel">Security</span> tab and you will see three buttons: <span class="guibutton">Permissions</span>, - <span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>. The <span class="guibutton">Auditing</span> - button will cause either an error message <span class="errorname">"A requested privilege is not held by the client"</span> - to appear if the user is not the NT administrator, or a dialog intended to allow an administrator - to add auditing requirements to a file if the user is logged on as the NT administrator. This dialog is - nonfunctional with a Samba share at this time, because the only useful button, the <span class="guibutton">Add</span> - button, will not currently allow a list of users to be seen. - </p></div><div class="sect2" title="Viewing File Ownership"><div class="titlepage"><div><div><h3 class="title"><a name="id381286"></a>Viewing File Ownership</h3></div></div></div><p> - Clicking on the <span class="guibutton">Ownership</span> button brings up a dialog box telling you who owns - the given file. The owner name will be displayed like this: - </p><pre class="screen"> - <code class="constant">SERVER\user (Long name)</code> - </pre><p> - <em class="replaceable"><code>SERVER</code></em> is the NetBIOS name of the Samba server, <em class="replaceable"><code>user</code></em> - is the username of the UNIX user who owns the file, and <em class="replaceable"><code>(Long name)</code></em> is the - descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). - Click on the <span class="guibutton">Close</span> button to remove this dialog. - </p><p> - If the parameter <a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support</a> is set to <code class="constant">false</code>, - the file owner will be shown as the NT user <span class="emphasis"><em>Everyone</em></span>. - </p><p> -<a class="indexterm" name="id381355"></a> - The <span class="guibutton">Take Ownership</span> button will not allow you to change the ownership of this file to - yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto - the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged - operation in UNIX, available only to the <span class="emphasis"><em>root</em></span> user. Because clicking on this button causes - NT to attempt to change the ownership of a file to the current user logged into the NT client, this will - not work with Samba at this time. - </p><p> -<a class="indexterm" name="id381379"></a> -<a class="indexterm" name="id381386"></a> -<a class="indexterm" name="id381392"></a> - There is an NT <code class="literal">chown</code> command that will work with Samba and allow a user with administrator - privilege connected to a Samba server as root to change the ownership of files on both a local NTFS file system - or remote mounted NTFS or Samba drive. This is available as part of the <span class="application">Seclib</span> NT - security library written by Jeremy Allison of the Samba Team and is downloadable from the main Samba FTP site. - </p></div><div class="sect2" title="Viewing File or Directory Permissions"><div class="titlepage"><div><div><h3 class="title"><a name="id381416"></a>Viewing File or Directory Permissions</h3></div></div></div><p> - The third button is the <span class="guibutton">Permissions</span> button. Clicking on it brings up a dialog box - that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this: - </p><p><code class="literal"><em class="replaceable"><code>SERVER</code></em>\ - <em class="replaceable"><code>user</code></em> - <em class="replaceable"><code>(Long name)</code></em></code></p><p><em class="replaceable"><code>SERVER</code></em> is the NetBIOS name of the Samba server, - <em class="replaceable"><code>user</code></em> is the username of the UNIX user who owns the file, and - <em class="replaceable"><code>(Long name)</code></em> is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database).</p><p> - If the parameter <a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support</a> is set to <code class="constant">false</code>, - the file owner will be shown as the NT user <code class="constant">Everyone</code>, and the permissions will be - shown as NT <span class="emphasis"><em>Full Control</em></span>. - </p><p> - The permissions field is displayed differently for files and directories. Both are discussed next. - </p><div class="sect3" title="File Permissions"><div class="titlepage"><div><div><h4 class="title"><a name="id381493"></a>File Permissions</h4></div></div></div><p> - The standard UNIX user/group/world triplet and the corresponding <code class="constant">read, write, - execute</code> permissions triplets are mapped by Samba into a three-element NT ACL with the - <span class="quote">“<span class="quote">r</span>”</span>, <span class="quote">“<span class="quote">w</span>”</span>, and <span class="quote">“<span class="quote">x</span>”</span> bits mapped into the corresponding NT - permissions. The UNIX world permissions are mapped into the global NT group <code class="constant">Everyone</code>, followed - by the list of permissions allowed for the UNIX world. The UNIX owner and group permissions are displayed as an NT - <span class="guiicon">user</span> icon and an NT <span class="guiicon">local group</span> icon, respectively, followed by the list - of permissions allowed for the UNIX user and group. - </p><p> - Because many UNIX permission sets do not map into common NT names such as <code class="constant">read</code>, - <code class="constant">change</code>, or <code class="constant">full control</code>, usually the permissions will be prefixed - by the words <code class="constant">Special Access</code> in the NT display list. - </p><p> - But what happens if the file has no permissions allowed for a particular UNIX user group or world component? - In order to allow <span class="emphasis"><em>no permissions</em></span> to be seen and modified, Samba then overloads the NT - <code class="constant">Take Ownership</code> ACL attribute (which has no meaning in UNIX) and reports a component with - no permissions as having the NT <code class="literal">O</code> bit set. This was chosen, of course, to make it look - like a zero, meaning zero permissions. More details on the decision behind this action are given below. - </p></div><div class="sect3" title="Directory Permissions"><div class="titlepage"><div><div><h4 class="title"><a name="id381576"></a>Directory Permissions</h4></div></div></div><p> - Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the - directory itself, which is usually displayed in the first set of parentheses in the normal <code class="constant">RW</code> - NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described - above, and is displayed in the same way. - </p><p> - The second set of directory permissions has no real meaning in the UNIX permissions world and represents the <code class="constant"> - inherited</code> permissions that any file created within this directory would inherit. - </p><p> - Samba synthesizes these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive. - </p></div></div><div class="sect2" title="Modifying File or Directory Permissions"><div class="titlepage"><div><div><h3 class="title"><a name="id381607"></a>Modifying File or Directory Permissions</h3></div></div></div><p> - Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box - and clicking on <span class="guibutton">OK</span>. However, there are limitations that a user needs to be aware of, - and also interactions with the standard Samba permission masks and mapping of DOS attributes that also need to - be taken into account. - </p><p> - If the parameter <a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support</a> is set to <code class="constant">false</code>, any attempt to - set security permissions will fail with an <span class="errorname">"Access Denied" </span> message. - </p><p> - The first thing to note is that the <span class="guibutton">Add</span> button will not return a list of users in Samba - (it will give an error message saying <span class="errorname">"The remote procedure call failed and did not - execute"</span>). This means that you can only manipulate the current user/group/world permissions listed - in the dialog box. This actually works quite well because these are the only permissions that UNIX actually - has. - </p><p> - If a permission triplet (either user, group, or world) is removed from the list of permissions in the NT - dialog box, then when the <span class="guibutton">OK</span> button is pressed, it will be applied as <span class="emphasis"><em>no - permissions</em></span> on the UNIX side. If you view the permissions again, the <span class="emphasis"><em>no - permissions</em></span> entry will appear as the NT <code class="literal">O</code> flag, as described above. This allows - you to add permissions back to a file or directory once you have removed them from a triplet component. - </p><p> - Because UNIX supports only the <span class="quote">“<span class="quote">r</span>”</span>, <span class="quote">“<span class="quote">w</span>”</span>, and <span class="quote">“<span class="quote">x</span>”</span> bits of an NT ACL, if - other NT security attributes such as <code class="constant">Delete Access</code> are selected, they will be ignored - when applied on the Samba server. - </p><p> - When setting permissions on a directory, the second set of permissions (in the second set of parentheses) is - by default applied to all files within that directory. If this is not what you want, you must uncheck the - <span class="guilabel">Replace permissions on existing files</span> checkbox in the NT dialog before clicking on - <span class="guibutton">OK</span>. - </p><p> - If you wish to remove all permissions from a user/group/world component, you may either highlight the - component and click on the <span class="guibutton">Remove</span> button or set the component to only have the special - <code class="constant">Take Ownership</code> permission (displayed as <code class="literal">O</code>) highlighted. - </p></div><div class="sect2" title="Interaction with the Standard Samba “create mask” Parameters"><div class="titlepage"><div><div><h3 class="title"><a name="id381747"></a>Interaction with the Standard Samba <span class="quote">“<span class="quote">create mask</span>”</span> Parameters</h3></div></div></div><p>There are four parameters that control interaction with the standard Samba <em class="parameter"><code>create mask</code></em> parameters: - - - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="link" href="smb.conf.5.html#SECURITYMASK" target="_top">security mask</a></p></li><li class="listitem"><p><a class="link" href="smb.conf.5.html#FORCESECURITYMODE" target="_top">force security mode</a></p></li><li class="listitem"><p><a class="link" href="smb.conf.5.html#DIRECTORYSECURITYMASK" target="_top">directory security mask</a></p></li><li class="listitem"><p><a class="link" href="smb.conf.5.html#FORCEDIRECTORYSECURITYMODE" target="_top">force directory security mode</a></p></li></ul></div><p> - - </p><p> - When a user clicks on <span class="guibutton">OK</span> to apply the - permissions, Samba maps the given permissions into a user/group/world - r/w/x triplet set, and then checks the changed permissions for a - file against the bits set in the - <a class="link" href="smb.conf.5.html#SECURITYMASK" target="_top">security mask</a> parameter. Any bits that - were changed that are not set to <span class="emphasis"><em>1</em></span> in this parameter are left alone - in the file permissions.</p><p> - Essentially, zero bits in the <a class="link" href="smb.conf.5.html#SECURITYMASK" target="_top">security mask</a> - may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span> - allowed to change, and one bits are those the user is allowed to change. - </p><p> - If not explicitly set, this parameter defaults to the same value as - the <a class="link" href="smb.conf.5.html#CREATEMASK" target="_top">create mask</a> parameter. To allow a user to modify all the - user/group/world permissions on a file, set this parameter to 0777. - </p><p> - Next Samba checks the changed permissions for a file against the bits set in the - <a class="link" href="smb.conf.5.html#FORCESECURITYMODE" target="_top">force security mode</a> parameter. Any bits - that were changed that correspond to bits set to <span class="emphasis"><em>1</em></span> in this parameter - are forced to be set.</p><p> - Essentially, bits set in the <em class="parameter"><code>force security mode</code></em> parameter - may be treated as a set of bits that, when modifying security on a file, the user - has always set to be <span class="emphasis"><em>on</em></span>.</p><p> - If not explicitly set, this parameter defaults to the same value - as the <a class="link" href="smb.conf.5.html#FORCECREATEMODE" target="_top">force create mode</a> parameter. - To allow a user to modify all the user/group/world permissions on a file - with no restrictions, set this parameter to 000. The - <a class="link" href="smb.conf.5.html#SECURITYMASK" target="_top">security mask</a> and <em class="parameter"><code>force - security mode</code></em> parameters are applied to the change - request in that order.</p><p> - For a directory, Samba performs the same operations as - described above for a file except it uses the parameter <em class="parameter"><code> - directory security mask</code></em> instead of <em class="parameter"><code>security - mask</code></em>, and <em class="parameter"><code>force directory security mode - </code></em> parameter instead of <em class="parameter"><code>force security mode - </code></em>.</p><p> - The <a class="link" href="smb.conf.5.html#DIRECTORYSECURITYMASK" target="_top">directory security mask</a> parameter - by default is set to the same value as the <em class="parameter"><code>directory mask - </code></em> parameter and the <em class="parameter"><code>force directory security - mode</code></em> parameter by default is set to the same value as - the <a class="link" href="smb.conf.5.html#FORCEDIRECTORYMODE" target="_top">force directory mode</a> parameter. - In this way Samba enforces the permission restrictions that - an administrator can set on a Samba share, while still allowing users - to modify the permission bits within that restriction.</p><p> - If you want to set up a share that allows users full control - in modifying the permission bits on their files and directories and - does not force any particular bits to be set <span class="emphasis"><em>on</em></span>, - then set the following parameters in the <code class="filename">smb.conf</code> file in that - share-specific section: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382036"></a><em class="parameter"><code>security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382047"></a><em class="parameter"><code>force security mode = 0</code></em></td></tr><tr><td><a class="indexterm" name="id382059"></a><em class="parameter"><code>directory security mask = 0777</code></em></td></tr><tr><td><a class="indexterm" name="id382070"></a><em class="parameter"><code>force directory security mode = 0</code></em></td></tr></table></div><div class="sect2" title="Interaction with the Standard Samba File Attribute Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id382083"></a>Interaction with the Standard Samba File Attribute Mapping</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Samba maps some of the DOS attribute bits (such as <span class="quote">“<span class="quote">read-only</span>”</span>) - into the UNIX permissions of a file. This means there can - be a conflict between the permission bits set via the security - dialog and the permission bits set by the file attribute mapping. - </p></div><p> - If a file has no UNIX read access for the owner, it will show up - as <span class="quote">“<span class="quote">read-only</span>”</span> in the standard file attributes tabbed dialog. - Unfortunately, this dialog is the same one that contains the security information - in another tab. - </p><p> - What this can mean is that if the owner changes the permissions - to allow himself or herself read access using the security dialog, clicks on - <span class="guibutton">OK</span> to get back to the standard attributes tab - dialog, and clicks on <span class="guibutton">OK</span> on that dialog, then - NT will set the file permissions back to read-only (as that is what - the attributes still say in the dialog). This means that after setting - permissions and clicking on <span class="guibutton">OK</span> to get back to the - attributes dialog, you should always press <span class="guibutton">Cancel</span> - rather than <span class="guibutton">OK</span> to ensure that your changes - are not overridden. - </p></div><div class="sect2" title="Windows NT/200X ACLs and POSIX ACLs Limitations"><div class="titlepage"><div><div><h3 class="title"><a name="id382146"></a>Windows NT/200X ACLs and POSIX ACLs Limitations</h3></div></div></div><p> - Windows administrators are familiar with simple ACL controls, and they typically - consider that UNIX user/group/other (ugo) permissions are inadequate and not - sufficiently fine-grained. - </p><p> - Competing SMB implementations differ in how they handle Windows ACLs. Samba handles - Windows ACLs from the perspective of UNIX file system administration and thus adopts - the limitations of POSIX ACLs. Therefore, where POSIX ACLs lack a capability of the - Windows NT/200X ACLs, the POSIX semantics and limitations are imposed on the Windows - administrator. - </p><p> - POSIX ACLs present an interesting challenge to the UNIX administrator and therefore - force a compromise to be applied to Windows ACLs administration. POSIX ACLs are not - covered by an official standard; rather, the latest standard is a draft standard - 1003.1e revision 17. This is the POSIX document on which the Samba implementation has - been implemented. - </p><p> - UNIX vendors differ in the manner in which POSIX ACLs are implemented. There are a - number of Linux file systems that support ACLs. Samba has to provide a way to make - transparent all the differences between the various implementations of POSIX ACLs. - The pressure for ACLs support in Samba has noticeably increased the pressure to - standardize ACLs support in the UNIX world. - </p><p> - Samba has to deal with the complicated matter of handling the challenge of the Windows - ACL that implements <span class="emphasis"><em>inheritance</em></span>, a concept not anticipated by POSIX - ACLs as implemented in UNIX file systems. Samba provides support for <span class="emphasis"><em>masks</em></span> - that permit normal ugo and ACLs functionality to be overridden. This further complicates - the way in which Windows ACLs must be implemented. - </p><div class="sect3" title="UNIX POSIX ACL Overview"><div class="titlepage"><div><div><h4 class="title"><a name="id382190"></a>UNIX POSIX ACL Overview</h4></div></div></div><p> - In examining POSIX ACLs we must consider the manner in which they operate for - both files and directories. File ACLs have the following significance: -</p><pre class="screen"> -# file: testfile <- the file name -# owner: jeremy <-- the file owner -# group: users <-- the POSIX group owner -user::rwx <-- perms for the file owner (user) -user:tpot:r-x <-- perms for the additional user `tpot' -group::r-- <-- perms for the file group owner (group) -group:engrs:r-- <-- perms for the additonal group `engineers' -mask:rwx <-- the mask that is `ANDed' with groups -other::--- <-- perms applied to everyone else (other) -</pre><p> - Directory ACLs have the following signficance: -</p><pre class="screen"> -# file: testdir <-- the directory name -# owner: jeremy <-- the directory owner -# group: jeremy <-- the POSIX group owner -user::rwx <-- directory perms for owner (user) -group::rwx <-- directory perms for owning group (group) -mask::rwx <-- the mask that is `ANDed' with group perms -other:r-x <-- perms applied to everyone else (other) -default:user::rwx <-- inherited owner perms -default:user:tpot:rwx <-- inherited extra perms for user `tpot' -default:group::r-x <-- inherited group perms -default:mask:rwx <-- inherited default mask -default:other:--- <-- inherited permissions for everyone (other) -</pre><p> - </p></div><div class="sect3" title="Mapping of Windows File ACLs to UNIX POSIX ACLs"><div class="titlepage"><div><div><h4 class="title"><a name="id382231"></a>Mapping of Windows File ACLs to UNIX POSIX ACLs</h4></div></div></div><p> - Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. - The mappings for file permissions are shown in <a class="link" href="AccessControls.html#fdsacls" title="Table 16.5. How Windows File ACLs Map to UNIX POSIX File ACLs">How - Windows File ACLs Map to UNIX POSIX File ACLs</a>. - The # character means this flag is set only when the Windows administrator - sets the <code class="constant">Full Control</code> flag on the file. - </p><div class="table"><a name="fdsacls"></a><p class="title"><b>Table 16.5. How Windows File ACLs Map to UNIX POSIX File ACLs</b></p><div class="table-contents"><table summary="How Windows File ACLs Map to UNIX POSIX File ACLs" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Windows ACE</th><th align="center">File Attribute Flag</th></tr></thead><tbody><tr><td align="left"><p>Full Control</p></td><td align="center"><p>#</p></td></tr><tr><td align="left"><p>Traverse Folder/Execute File</p></td><td align="center"><p>x</p></td></tr><tr><td align="left"><p>List Folder/Read Data</p></td><td align="center"><p>r</p></td></tr><tr><td align="left"><p>Read Attributes</p></td><td align="center"><p>r</p></td></tr><tr><td align="left"><p>Read Extended Attribures</p></td><td align="center"><p>r</p></td></tr><tr><td align="left"><p>Create Files/Write Data</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Create Folders/Append Data</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Write Attributes</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Write Extended Attributes</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Delete Subfolders and Files</p></td><td align="center"><p>w</p></td></tr><tr><td align="left"><p>Delete</p></td><td align="center"><p>#</p></td></tr><tr><td align="left"><p>Read Permissions</p></td><td align="center"><p>all</p></td></tr><tr><td align="left"><p>Change Permissions</p></td><td align="center"><p>#</p></td></tr><tr><td align="left"><p>Take Ownership</p></td><td align="center"><p>#</p></td></tr></tbody></table></div></div><br class="table-break"><p> - As can be seen from the mapping table, there is no one-to-one mapping capability, and therefore - Samba must make a logical mapping that will permit Windows to operate more-or-less the way - that is intended by the administrator. - </p><p> - In general the mapping of UNIX POSIX user/group/other permissions will be mapped to - Windows ACLs. This has precedence over the creation of POSIX ACLs. POSIX ACLs are necessary - to establish access controls for users and groups other than the user and group that - own the file or directory. - </p><p> - The UNIX administrator can set any directory permission from within the UNIX environment. - The Windows administrator is more restricted in that it is not possible from within - Windows Explorer to remove read permission for the file owner. - </p></div><div class="sect3" title="Mapping of Windows Directory ACLs to UNIX POSIX ACLs"><div class="titlepage"><div><div><h4 class="title"><a name="id382488"></a>Mapping of Windows Directory ACLs to UNIX POSIX ACLs</h4></div></div></div><p> - Interesting things happen in the mapping of UNIX POSIX directory permissions and - UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete components of - an ACL) are mapped to Windows directory ACLs. - </p><p> - Directory permissions function in much the same way as shown for file permissions, but - there are some notable exceptions and a few peculiarities that the astute administrator - will want to take into account in the setting up of directory permissions. - </p></div></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id382508"></a>Common Errors</h2></div></div></div><p> -File, directory, and share access problems are common topics on the mailing list. The following -are examples recently taken from the mailing list. -</p><div class="sect2" title="Users Cannot Write to a Public Share"><div class="titlepage"><div><div><h3 class="title"><a name="id382518"></a>Users Cannot Write to a Public Share</h3></div></div></div><p> - The following complaint has frequently been voiced on the Samba mailing list: - <span class="quote">“<span class="quote"> - We are facing some troubles with file/directory permissions. I can log on the domain as admin user (root), - and there's a public share on which everyone needs to have permission to create/modify files, but only - root can change the file, no one else can. We need to constantly go to the server to - <strong class="userinput"><code>chgrp -R users *</code></strong> and <strong class="userinput"><code>chown -R nobody *</code></strong> to allow - other users to change the file. - </span>”</span> - </p><p> - Here is one way the problem can be solved: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Go to the top of the directory that is shared. - </p></li><li class="step" title="Step 2"><p> - Set the ownership to whatever public user and group you want -</p><pre class="screen"> -<code class="prompt">$ </code>find `directory_name' -type d -exec chown user:group {}\; -<code class="prompt">$ </code>find `directory_name' -type d -exec chmod 2775 {}\; -<code class="prompt">$ </code>find `directory_name' -type f -exec chmod 0775 {}\; -<code class="prompt">$ </code>find `directory_name' -type f -exec chown user:group {}\; -</pre><p> - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - The above will set the <code class="constant">SGID bit</code> on all directories. Read your - UNIX/Linux man page on what that does. This ensures that all files and directories - that are created in the directory tree will be owned by the current user and will - be owned by the group that owns the directory in which it is created. - </p></div></li><li class="step" title="Step 3"><p> - Directory is <em class="replaceable"><code>/foodbar</code></em>: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>chown jack:engr /foodbar</code></strong> -</pre><p> - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This is the same as doing:</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>chown jack /foodbar</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>chgrp engr /foodbar</code></strong> -</pre></div></li><li class="step" title="Step 4"><p>Now type: - -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>chmod 2775 /foodbar</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>ls -al /foodbar/..</code></strong> -</pre><p> - </p><p>You should see: -</p><pre class="screen"> -drwxrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar -</pre><p> - </p></li><li class="step" title="Step 5"><p>Now type: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>su - jill</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>cd /foodbar</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>touch Afile</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>ls -al</code></strong> -</pre><p> - </p><p> - You should see that the file <code class="filename">Afile</code> created by Jill will have ownership - and permissions of Jack, as follows: -</p><pre class="screen"> --rw-r--r-- 1 jill engr 0 2007-01-18 19:41 Afile -</pre><p> - </p></li><li class="step" title="Step 6"><p> - If the user that must have write permission in the directory is not a member of the group - <span class="emphasis"><em>engr</em></span> set in the <code class="filename">smb.conf</code> entry for the share: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382810"></a><em class="parameter"><code>force group = engr</code></em></td></tr></table><p> - </p></li></ol></div></div><div class="sect2" title="File Operations Done as root with force user Set"><div class="titlepage"><div><div><h3 class="title"><a name="id382826"></a>File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</h3></div></div></div><p> - When you have a user in <a class="link" href="smb.conf.5.html#ADMINUSERS" target="_top">admin users</a>, Samba will always do file operations for - this user as <span class="emphasis"><em>root</em></span>, even if <a class="link" href="smb.conf.5.html#FORCEUSER" target="_top">force user</a> has been set. - </p></div><div class="sect2" title="MS Word with Samba Changes Owner of File"><div class="titlepage"><div><div><h3 class="title"><a name="id382869"></a>MS Word with Samba Changes Owner of File</h3></div></div></div><p> - <span class="emphasis"><em>Question:</em></span> <span class="quote">“<span class="quote">When user B saves a word document that is owned by user A, - the updated file is now owned by user B. Why is Samba doing this? How do I fix this?</span>”</span> - </p><p> - <span class="emphasis"><em>Answer:</em></span> Word does the following when you modify/change a Word document: MS Word creates a new document with - a temporary name. Word then closes the old document and deletes it, then renames the new document to the original document name. - There is no mechanism by which Samba can in any way know that the new document really should be owned by the owners - of the original file. Samba has no way of knowing that the file will be renamed by MS Word. As far as Samba is able - to tell, the file that gets created is a new file, not one that the application (Word) is updating. - </p><p> - There is a workaround to solve the permissions problem. It involves understanding how you can manage file - system behavior from within the <code class="filename">smb.conf</code> file, as well as understanding how UNIX file systems work. Set on the directory - in which you are changing Word documents: <code class="literal">chmod g+s `directory_name'.</code> This ensures that all files will - be created with the group that owns the directory. In <code class="filename">smb.conf</code> share declaration section set: - </p><p> - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id382935"></a><em class="parameter"><code>force create mode = 0660</code></em></td></tr><tr><td><a class="indexterm" name="id382946"></a><em class="parameter"><code>force directory mode = 0770</code></em></td></tr></table><p> - </p><p> - These two settings will ensure that all directories and files that get created in the share will be readable/writable by the - owner and group set on the directory itself. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="rights.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. User Rights and Privileges </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. File and Record Locking</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html b/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html deleted file mode 100644 index 5996f3f733..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html +++ /dev/null @@ -1,319 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 25. Advanced Network Management</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts"><link rel="next" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 25. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 25. Advanced Network Management"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 25. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 15 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421386">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421545">Remote Desktop Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></span></dt></dl></dd><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id422084">Network Logon Script Magic</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id422250">Adding Printers without User Intervention</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id422290">Limiting Logon Connections</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id421376"></a> -This section documents peripheral issues that are of great importance to network -administrators who want to improve network resource access control, to automate the user -environment, and to make their lives a little easier. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id421386"></a>Features and Benefits</h2></div></div></div><p> -Often the difference between a working network environment and a well-appreciated one can -best be measured by the <span class="emphasis"><em>little things</em></span> that make everything work more -harmoniously. A key part of every network environment solution is the ability to remotely -manage MS Windows workstations, remotely access the Samba server, provide customized -logon scripts, as well as other housekeeping activities that help to sustain more reliable -network operations. -</p><p> -This chapter presents information on each of these areas. They are placed here, and not in -other chapters, for ease of reference. -</p></div><div class="sect1" title="Remote Server Administration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id421408"></a>Remote Server Administration</h2></div></div></div><p><span class="quote">“<span class="quote">How do I get User Manager and Server Manager?</span>”</span></p><p> -<a class="indexterm" name="id421420"></a> -<a class="indexterm" name="id421427"></a> -<a class="indexterm" name="id421434"></a> -Since I do not need to buy an <span class="application">NT4 server</span>, how do I get the User Manager for Domains -and the Server Manager? -</p><p> -<a class="indexterm" name="id421451"></a> -<a class="indexterm" name="id421458"></a> -Microsoft distributes a version of these tools called <code class="filename">Nexus.exe</code> for installation -on <span class="application">Windows 9x/Me</span> systems. The tools set includes: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Server Manager</p></li><li class="listitem"><p>User Manager for Domains</p></li><li class="listitem"><p>Event Viewer</p></li></ul></div><p> -Download the archived file at the Microsoft <a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">Nexus</a> link. -</p><p> -<a class="indexterm" name="id421509"></a> -<a class="indexterm" name="id421516"></a> -<a class="indexterm" name="id421523"></a> -The <span class="application">Windows NT 4.0</span> version of the User Manager for -Domains and Server Manager are available from Microsoft -<a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">via ftp</a>. -</p></div><div class="sect1" title="Remote Desktop Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id421545"></a>Remote Desktop Management</h2></div></div></div><p> -<a class="indexterm" name="id421552"></a> -<a class="indexterm" name="id421559"></a> -There are a number of possible remote desktop management solutions that range from free -through costly. Do not let that put you off. Sometimes the most costly solution is the -most cost effective. In any case, you will need to draw your own conclusions as to which -is the best tool in your network environment. -</p><div class="sect2" title="Remote Management from NoMachine.Com"><div class="titlepage"><div><div><h3 class="title"><a name="id421570"></a>Remote Management from NoMachine.Com</h3></div></div></div><p> - <a class="indexterm" name="id421577"></a> - The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. - It is presented in slightly edited form (with author details omitted for privacy reasons). - The entire answer is reproduced below with some comments removed. - </p><p><span class="quote">“<span class="quote"> -<a class="indexterm" name="id421591"></a> - I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote - desktop capabilities so users outside could login to the system and get their desktop up from home or - another country. - </span>”</span></p><p><span class="quote">“<span class="quote"> -<a class="indexterm" name="id421604"></a> -<a class="indexterm" name="id421611"></a> -<a class="indexterm" name="id421617"></a> -<a class="indexterm" name="id421624"></a> - Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so - it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login - even if the computer is in a domain? - </span>”</span></p><p> - Answer provided: Check out the new offer of <span class="quote">“<span class="quote">NX</span>”</span> software from - <a class="ulink" href="http://www.nomachine.com/" target="_top">NoMachine</a>. - </p><p> -<a class="indexterm" name="id421652"></a> -<a class="indexterm" name="id421659"></a> -<a class="indexterm" name="id421665"></a> - It implements an easy-to-use interface to the Remote X protocol as - well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed - performance much better than anything you may have ever seen. - </p><p> -<a class="indexterm" name="id421677"></a> - Remote X is not new at all, but what they did achieve successfully is - a new way of compression and caching technologies that makes the thing - fast enough to run even over slow modem/ISDN connections. - </p><p> -<a class="indexterm" name="id421689"></a> -<a class="indexterm" name="id421696"></a> -<a class="indexterm" name="id421703"></a> -<a class="indexterm" name="id421710"></a> - I test drove their (public) Red Hat machine in Italy, over a loaded - Internet connection, with enabled thumbnail previews in KDE konqueror, - which popped up immediately on <span class="quote">“<span class="quote">mouse-over</span>”</span>. From inside that (remote X) - session I started a rdesktop session on another, a Windows XP machine. - To test the performance, I played Pinball. I am proud to announce - that my score was 631,750 points at first try. - </p><p> -<a class="indexterm" name="id421725"></a> -<a class="indexterm" name="id421732"></a> -<a class="indexterm" name="id421739"></a> -<a class="indexterm" name="id421745"></a> - NX performs better on my local LAN than any of the other <span class="quote">“<span class="quote">pure</span>”</span> - connection methods I use from time to time: TightVNC, rdesktop or - Remote X. It is even faster than a direct crosslink connection between - two nodes. - </p><p> -<a class="indexterm" name="id421761"></a> -<a class="indexterm" name="id421768"></a> -<a class="indexterm" name="id421775"></a> - I even got sound playing from the Remote X app to my local boxes, and - had a working <span class="quote">“<span class="quote">copy'n'paste</span>”</span> from an NX window (running a KDE session - in Italy) to my Mozilla mailing agent. These guys are certainly doing - something right! - </p><p> - I recommend test driving NX to anybody with a only a passing interest in remote computing - the <a class="ulink" href="http://www.nomachine.com/testdrive.php" target="_top">NX</a> utility. - </p><p> - Just download the free-of-charge client software (available for Red Hat, - SuSE, Debian and Windows) and be up and running within 5 minutes (they - need to send you your account data, though, because you are assigned - a real UNIX account on their testdrive.nomachine.com box). - </p><p> - They plan to get to the point were you can have NX application servers - running as a cluster of nodes, and users simply start an NX session locally - and can select applications to run transparently (apps may even run on - another NX node, but pretend to be on the same as used for initial login, - because it displays in the same window. You also can run it - full-screen, and after a short time you forget that it is a remote session - at all). - </p><p> -<a class="indexterm" name="id421815"></a> - Now the best thing for last: All the core compression and caching - technologies are released under the GPL and available as source code - to anybody who wants to build on it! These technologies are working, - albeit started from the command line only (and very inconvenient to - use in order to get a fully running remote X session up and running). - </p><p> - To answer your questions: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - You do not need to install a terminal server; XP has RDP support built in. - </p></li><li class="listitem"><p> - NX is much cheaper than Citrix and comparable in performance, probably faster. - </p></li><li class="listitem"><p> - You do not need to hack XP it just works. - </p></li><li class="listitem"><p> - You log into the XP box from remote transparently (and I think there is no - need to change anything to get a connection, even if authentication is against a domain). - </p></li><li class="listitem"><p> - The NX core technologies are all Open Source and released under the GPL - you can now use a (very inconvenient) command line at no cost, - but you can buy a comfortable (proprietary) NX GUI front end for money. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id421870"></a> -<a class="indexterm" name="id421876"></a> -<a class="indexterm" name="id421883"></a> -<a class="indexterm" name="id421890"></a> -<a class="indexterm" name="id421897"></a> - NoMachine is encouraging and offering help to OSS/Free Software implementations - for such a front-end too, even if it means competition to them (they have written - to this effect even to the LTSP, KDE, and GNOME developer mailing lists). - </p></li></ul></div></div><div class="sect2" title="Remote Management with ThinLinc"><div class="titlepage"><div><div><h3 class="title"><a name="id421909"></a>Remote Management with ThinLinc</h3></div></div></div><p> - Another alternative for remote access is <span class="emphasis"><em>ThinLinc</em></span> from Cendio. - </p><p> -<a class="indexterm" name="id421924"></a> -<a class="indexterm" name="id421931"></a> -<a class="indexterm" name="id421938"></a> -<a class="indexterm" name="id421945"></a> -<a class="indexterm" name="id421951"></a> -<a class="indexterm" name="id421958"></a> -<a class="indexterm" name="id421965"></a> -<a class="indexterm" name="id421971"></a> - ThinLinc is a terminal server solution that is available for Linux and Solaris based on standard - protocols such as SSH, TightVNC, NFS and PulseAudio. - </p><p> -<a class="indexterm" name="id421983"></a> -<a class="indexterm" name="id421989"></a> - ThinLinc can be used both in the LAN environment to implement a Thin Client strategy for an organization, and as - secure remote access solution for people working from remote locations, even over smallband connections. - ThinLinc is free to use for a single concurrent user. - </p><p> -<a class="indexterm" name="id422002"></a> -<a class="indexterm" name="id422008"></a> -<a class="indexterm" name="id422015"></a> - The product can also be used as a frontend to access Windows Terminal Server or Citrix farms, or even Windows - XP machines, securing the connection via the ssh protocol. The client is available both for Linux (supporting - all Linux distributions as well as numerous thin terminals) and for Windows. A Java-based Web client is also - available. - </p><p> - ThinLinc may be evaluated by connecting to Cendio's demo system, see - <a class="ulink" href="http://www.cendio.com" target="_top">Cendio's</a> web site - <a class="ulink" href="http://www.cendio.com/testdrive" target="_top">testdrive</a> center. - </p><p> - Cendio is a major contributor to several open source projects including - <a class="ulink" href="http://www.tightvnc.com" target="_top">TightVNC</a>, - <a class="ulink" href="http://pulseaudio.org" target="_top">PulseAudio</a> , unfsd, - <a class="ulink" href="http://www.python.org" target="_top">Python</a> and - <a class="ulink" href="http://www.rdesktop.org" target="_top">rdesktop</a>. - </p></div></div><div class="sect1" title="Network Logon Script Magic"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id422084"></a>Network Logon Script Magic</h2></div></div></div><p> -There are several opportunities for creating a custom network startup configuration environment. -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>No Logon Script.</p></li><li class="listitem"><p>Simple universal Logon Script that applies to all users.</p></li><li class="listitem"><p>Use of a conditional Logon Script that applies per-user or per-group attributes.</p></li><li class="listitem"><p>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create - a custom logon script and then execute it.</p></li><li class="listitem"><p>User of a tool such as KixStart.</p></li></ul></div><p> -The Samba source code tree includes two logon script generation/execution tools. -See <code class="filename">examples</code> directory <code class="filename">genlogon</code> and -<code class="filename">ntlogon</code> subdirectories. -</p><p> -The following listings are from the genlogon directory. -</p><p> -<a class="indexterm" name="id422150"></a> -This is the <code class="filename">genlogon.pl</code> file: - -</p><pre class="programlisting"> - #!/usr/bin/perl - # - # genlogon.pl - # - # Perl script to generate user logon scripts on the fly, when users - # connect from a Windows client. This script should be called from - # smb.conf with the %U, %G and %L parameters. I.e: - # - # root preexec = genlogon.pl %U %G %L - # - # The script generated will perform - # the following: - # - # 1. Log the user connection to /var/log/samba/netlogon.log - # 2. Set the PC's time to the Linux server time (which is maintained - # daily to the National Institute of Standards Atomic clock on the - # internet. - # 3. Connect the user's home drive to H: (H for Home). - # 4. Connect common drives that everyone uses. - # 5. Connect group-specific drives for certain user groups. - # 6. Connect user-specific drives for certain users. - # 7. Connect network printers. - - # Log client connection - #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); - ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); - open LOG, ">>/var/log/samba/netlogon.log"; - print LOG "$mon/$mday/$year $hour:$min:$sec"; - print LOG " - User $ARGV[0] logged into $ARGV[1]\n"; - close LOG; - - # Start generating logon script - open LOGON, ">/shared/netlogon/$ARGV[0].bat"; - print LOGON "\@ECHO OFF\r\n"; - - # Connect shares just use by Software Development group - if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") - { - print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; - } - - # Connect shares just use by Technical Support staff - if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") - { - print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; - } - - # Connect shares just used by Administration staff - If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") - { - print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; - print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; - } - - # Now connect Printers. We handle just two or three users a little - # differently, because they are the exceptions that have desktop - # printers on LPT1: - all other user's go to the LaserJet on the - # server. - if ($ARGV[0] eq 'jim' - || $ARGV[0] eq 'yvonne') - { - print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; - print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; - } - else - { - print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; - print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; - } - - # All done! Close the output file. - close LOGON; -</pre><p> -</p><p> -Those wishing to use a more elaborate or capable logon processing system should check out these sites: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="ulink" href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></p></li><li class="listitem"><p><a class="ulink" href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></p></li></ul></div><div class="sect2" title="Adding Printers without User Intervention"><div class="titlepage"><div><div><h3 class="title"><a name="id422250"></a>Adding Printers without User Intervention</h3></div></div></div><p> -<a class="indexterm" name="id422258"></a> -Printers may be added automatically during logon script processing through the use of: -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /?</code></strong> -</pre><p> - -See the documentation in the <a class="ulink" href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft Knowledge Base article 189105</a>. -</p></div><div class="sect2" title="Limiting Logon Connections"><div class="titlepage"><div><div><h3 class="title"><a name="id422290"></a>Limiting Logon Connections</h3></div></div></div><p> - Sometimes it is necessary to limit the number of concurrent connections to a - Samba shared resource. For example, a site may wish to permit only one network - logon per user. - </p><p> - The Samba <em class="parameter"><code>preexec script</code></em> parameter can be used to permit only one - connection per user. Though this method is not foolproof and may have side effects, - the following contributed method may inspire someone to provide a better solution. - </p><p> - This is not a perfect solution because Windows clients can drop idle connections - with an auto-reconnect capability that could result in the appearance that a share - is no longer in use, while actually it is. Even so, it demonstrates the principle - of use of the <em class="parameter"><code>preexec script</code></em> parameter. - </p><p> - The following share configuration demonstrates use of the script shown in <a class="link" href="AdvancedNetworkManagement.html#Tpees" title="Example 25.1. Script to Enforce Single Resource Logon">“Script to Enforce Single Resource Logon”</a>. -</p><pre class="programlisting"> -[myshare] - ... - preexec script = /sbin/PermitSingleLogon.sh - preexec close = Yes - ... -</pre><p> - </p><div class="example"><a name="Tpees"></a><p class="title"><b>Example 25.1. Script to Enforce Single Resource Logon</b></p><div class="example-contents"><pre class="screen"> -#!/bin/bash - -IFS="-" -RESULT=$(smbstatus -S -u $1 2> /dev/null | awk 'NF \ - > 6 {print $1}' | sort | uniq -d) - -if [ "X${RESULT}" == X ]; then - exit 0 -else - exit 1 -fi -</pre></div></div><br class="example-break"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 24. Winbind: Use of Domain Accounts </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 26. System and Account Policies</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Appendix.html b/docs/htmldocs/Samba3-HOWTO/Appendix.html deleted file mode 100644 index cc4675c3e4..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/Appendix.html +++ /dev/null @@ -1 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Reference Section</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="tdb.html" title="Chapter 41. Managing TDB Files"><link rel="next" href="compiling.html" title="Chapter 42. How to Compile Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Reference Section</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="tdb.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" title="Part VI. Reference Section"><div class="titlepage"><div><div><h1 class="title"><a name="Appendix"></a>Part VI. Reference Section</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="compiling.html">42. How to Compile Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="compiling.html#id449310">Access Samba Source Code via Subversion</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id449315">Introduction</a></span></dt><dt><span class="sect2"><a href="compiling.html#id449353">Subversion Access to samba.org</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#id449526">Accessing the Samba Sources via rsync and ftp</a></span></dt><dt><span class="sect1"><a href="compiling.html#id449593">Verifying Samba's PGP Signature</a></span></dt><dt><span class="sect1"><a href="compiling.html#id449722">Building the Binaries</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id449946">Compiling Samba with Active Directory Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#startingSamba">Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450196">Starting from inetd.conf</a></span></dt><dt><span class="sect2"><a href="compiling.html#id450403">Alternative: Starting <span class="application">smbd</span> as a Daemon</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Portability.html">43. Portability</a></span></dt><dd><dl><dt><span class="sect1"><a href="Portability.html#id450764">HPUX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id450860">SCO UNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id450891">DNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451021">Red Hat Linux</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451060">AIX: Sequential Read Ahead</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451114">Solaris</a></span></dt><dd><dl><dt><span class="sect2"><a href="Portability.html#id451119">Locking Improvements</a></span></dt><dt><span class="sect2"><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Other-Clients.html">44. Samba and Other CIFS Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="Other-Clients.html#id451283">Macintosh Clients</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id451358">OS2 Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451364">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451474">Configuring Other Versions of OS/2</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451524">Printer Driver Download for OS/2 Clients</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451608">Windows for Workgroups</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451614">Latest TCP/IP Stack from Microsoft</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451692">Delete .pwl Files After Password Change</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451713">Configuring Windows for Workgroups Password Handling</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451768">Password Case Sensitivity</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451795">Use TCP/IP as Default Protocol</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#speedimpr">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451846">Windows 95/98</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451910">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451928">Windows 2000 Service Pack 2</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452108">Windows NT 3.1</a></span></dt></dl></dd><dt><span class="chapter"><a href="speed.html">45. Samba Performance Tuning</a></span></dt><dd><dl><dt><span class="sect1"><a href="speed.html#id452214">Comparisons</a></span></dt><dt><span class="sect1"><a href="speed.html#id452243">Socket Options</a></span></dt><dt><span class="sect1"><a href="speed.html#id452328">Read Size</a></span></dt><dt><span class="sect1"><a href="speed.html#id452364">Max Xmit</a></span></dt><dt><span class="sect1"><a href="speed.html#id452406">Log Level</a></span></dt><dt><span class="sect1"><a href="speed.html#id452428">Read Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id452488">Write Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id452536">Slow Logins</a></span></dt><dt><span class="sect1"><a href="speed.html#id452558">Client Tuning</a></span></dt><dt><span class="sect1"><a href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></span></dt><dt><span class="sect1"><a href="speed.html#id452660">Corrupt tdb Files</a></span></dt><dt><span class="sect1"><a href="speed.html#id452749">Samba Performance is Very Slow</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch-ldap-tls.html">46. LDAP and Transport Layer Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch47.html">47. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch47.html#id453826">Free Support</a></span></dt><dt><span class="sect1"><a href="ch47.html#id454025">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="DNSDHCP.html">48. DNS and DHCP Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="DNSDHCP.html#id454166">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="DNSDHCP.html#id454326">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="DNSDHCP.html#id454402">Dynamic DNS</a></span></dt><dt><span class="sect2"><a href="DNSDHCP.html#DHCP">DHCP Server</a></span></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="tdb.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. Managing TDB Files </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 42. How to Compile Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Backup.html b/docs/htmldocs/Samba3-HOWTO/Backup.html deleted file mode 100644 index 297ea124fb..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/Backup.html +++ /dev/null @@ -1,130 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Backup Techniques</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="unicode.html" title="Chapter 30. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 32. High Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 31. Backup Techniques"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 31. Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Backup.html#id433904">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="Backup.html#id433944">Discussion of Backup Solutions</a></span></dt><dd><dl><dt><span class="sect2"><a href="Backup.html#id434031">BackupPC</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434193">Rsync</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434353">Amanda</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434397">BOBS: Browseable Online Backup System</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id433904"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id433912"></a> -<a class="indexterm" name="id433919"></a> -<a class="indexterm" name="id433926"></a> -<a class="indexterm" name="id433932"></a> -The Samba project is over 10 years old. During the early history -of Samba, UNIX administrators were its key implementors. UNIX administrators -use UNIX system tools to backup UNIX system files. Over the past -4 years, an increasing number of Microsoft network administrators have -taken an interest in Samba. This is reflected in the questions about backup -in general on the Samba mailing lists. -</p></div><div class="sect1" title="Discussion of Backup Solutions"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id433944"></a>Discussion of Backup Solutions</h2></div></div></div><p> -<a class="indexterm" name="id433952"></a> -<a class="indexterm" name="id433959"></a> -During discussions at a Microsoft Windows training course, one of -the pro-UNIX delegates stunned the class when he pointed out that Windows -NT4 is limiting compared with UNIX. He likened UNIX to a Meccano set -that has an unlimited number of tools that are simple, efficient, -and, in combination, capable of achieving any desired outcome. -</p><p> -<a class="indexterm" name="id433972"></a> -<a class="indexterm" name="id433978"></a> -One of the Windows networking advocates retorted that if she wanted a -Meccano set, she would buy one. She made it clear that a complex single -tool that does more than is needed but does it with a clear purpose and -intent is preferred by some like her. -</p><p> -<a class="indexterm" name="id433991"></a> -<a class="indexterm" name="id433998"></a> -<a class="indexterm" name="id434004"></a> -Please note that all information here is provided as is and without recommendation -of fitness or suitability. The network administrator is strongly encouraged to -perform due diligence research before implementing any backup solution, whether free -software or commercial. -</p><p> -A useful Web site I recently stumbled across that you might like to refer to -is located at <a class="ulink" href="http://www.allmerchants.com/Software/Backup_Software/" target="_top"> -www.allmerchants.com</a>. -</p><p> -The following three free software projects might also merit consideration. -</p><div class="sect2" title="BackupPC"><div class="titlepage"><div><div><h3 class="title"><a name="id434031"></a>BackupPC</h3></div></div></div><p> - <a class="indexterm" name="id434038"></a> -<a class="indexterm" name="id434045"></a> -<a class="indexterm" name="id434052"></a> - BackupPC version 2.0.0 has been released on <a class="ulink" href="http://backuppc.sourceforge.net" target="_top">SourceForge</a>. - New features include support for <code class="literal">rsync/rsyncd</code> and internationalization of the CGI interface - (including English, French, Spanish, and German). - </p><p> -<a class="indexterm" name="id434076"></a> -<a class="indexterm" name="id434082"></a> -<a class="indexterm" name="id434089"></a> -<a class="indexterm" name="id434096"></a> -<a class="indexterm" name="id434102"></a> -<a class="indexterm" name="id434109"></a> -<a class="indexterm" name="id434116"></a> -<a class="indexterm" name="id434122"></a> - BackupPC is a high-performance Perl-based package for backing up Linux, - UNIX, and Windows PCs and laptops to a server's disk. BackupPC is highly - configurable and easy to install and maintain. SMB (via smbclient), - <code class="literal">tar</code> over <code class="literal">rsh/ssh</code>, or <code class="literal">rsync/rsyncd</code> - are used to extract client data. - </p><p> -<a class="indexterm" name="id434152"></a> -<a class="indexterm" name="id434159"></a> -<a class="indexterm" name="id434166"></a> - Given the ever-decreasing cost of disks and RAID systems, it is now - practical and cost effective to backup a large number of machines onto - a server's local disk or network storage. This is what BackupPC does. - </p><p> - Key features are pooling of identical files (big savings in server disk - space), compression, and a comprehensive CGI interface that allows users - to browse backups and restore files. - </p><p> -<a class="indexterm" name="id434182"></a> - BackupPC is free software distributed under a GNU GPL license. - BackupPC runs on Linux/UNIX/freenix servers and has been tested - on Linux, UNIX, Windows 9x/Me, Windows 98, Windows 200x, Windows XP, and Mac OSX clients. - </p></div><div class="sect2" title="Rsync"><div class="titlepage"><div><div><h3 class="title"><a name="id434193"></a>Rsync</h3></div></div></div><p> -<a class="indexterm" name="id434201"></a> -<a class="indexterm" name="id434208"></a> -<a class="indexterm" name="id434214"></a> -<a class="indexterm" name="id434221"></a> -<a class="indexterm" name="id434228"></a> -<a class="indexterm" name="id434235"></a> - <code class="literal">rsync</code> is a flexible program for efficiently copying files or - directory trees.</p><p><code class="literal">rsync</code> has many options to select which files will be copied - and how they are to be transferred. It may be used as an - alternative to <code class="literal">ftp, http, scp</code>, or <code class="literal">rcp</code>.</p><p> -<a class="indexterm" name="id434272"></a> -<a class="indexterm" name="id434278"></a> -<a class="indexterm" name="id434285"></a> - The rsync remote-update protocol allows rsync to transfer just - the differences between two sets of files across the network link, - using an efficient checksum-search algorithm described in the - technical report that accompanies the rsync package.</p><p>Some of the additional features of rsync are:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Support for copying links, devices, owners, groups, and permissions. - </p></li><li class="listitem"><p> - Exclude and exclude-from options are similar to GNU tar. - </p></li><li class="listitem"><p> - A CVS exclude mode for ignoring the same files that CVS would ignore. - </p></li><li class="listitem"><p> - Can use any transparent remote shell, including rsh or ssh. - </p></li><li class="listitem"><p> - Does not require root privileges. - </p></li><li class="listitem"><p> - Pipelining of file transfers to minimize latency costs. - </p></li><li class="listitem"><p> - Support for anonymous or authenticated rsync servers (ideal for - mirroring). - </p></li></ul></div></div><div class="sect2" title="Amanda"><div class="titlepage"><div><div><h3 class="title"><a name="id434353"></a>Amanda</h3></div></div></div><p> - <a class="indexterm" name="id434361"></a> -<a class="indexterm" name="id434368"></a> -<a class="indexterm" name="id434375"></a> - Amanda, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that - allows the administrator of a LAN to set up a single master backup server to back up - multiple hosts to a single large capacity tape drive. Amanda uses native dump and/or - GNU tar facilities and can back up a large number of workstations running multiple - versions of UNIX. Recent versions can also use Samba to back up Microsoft Windows hosts. - </p><p> - For more information regarding Amanda, please check the <a class="ulink" href="http://www.amanda.org/" target="_top"> - www.amanda.org/ site</a>. - </p></div><div class="sect2" title="BOBS: Browseable Online Backup System"><div class="titlepage"><div><div><h3 class="title"><a name="id434397"></a>BOBS: Browseable Online Backup System</h3></div></div></div><p> - <a class="indexterm" name="id434405"></a> - Browseable Online Backup System (BOBS) is a complete online backup system. Uses large - disks for storing backups and lets users browse the files using a Web browser. Handles - some special files like AppleDouble and icon files. - </p><p> - The home page for BOBS is located at <a class="ulink" href="http://bobs.sourceforge.net/" target="_top"> - bobs.sourceforge.net</a>. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. High Availability</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html b/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html deleted file mode 100644 index ade3dc226a..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html +++ /dev/null @@ -1,3112 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. CUPS Printing Support</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="classicalprinting.html" title="Chapter 21. Classical Printing Support"><link rel="next" href="VFS.html" title="Chapter 23. Stackable VFS modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. CUPS Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="classicalprinting.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 22. CUPS Printing Support"><div class="titlepage"><div><div><h2 class="title"><a name="CUPS-printing"></a>Chapter 22. CUPS Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname">Danka Deutschland GmbH <br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Ciprian</span> <span class="surname">Vizitiu</span></h3><span class="contrib">drawings</span> <div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:CVizitiu@gbif.org">CVizitiu@gbif.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawings</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> (27 Jan 2004) </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="CUPS-printing.html#id398810">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id398815">Features and Benefits</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id398866">Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id399084">Linking smbd with libcups.so</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399310">Simple <code class="filename">smb.conf</code> Settings for CUPS</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399534">More Complex CUPS <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id399894">Advanced Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id399907">Central Spooling vs. <span class="quote">“<span class="quote">Peer-to-Peer</span>”</span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400166">Installation of Windows Client Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-raw">Explicitly Enable <span class="quote">“<span class="quote">raw</span>”</span> Printing for <span class="emphasis"><em>application/octet-stream</em></span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400430">Driver Upload Methods</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id400541">Advanced Intelligent Printing with PostScript Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401205">Ghostscript: The Software RIP for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401523">CUPS Also Uses PPDs for Non-PostScript Printers</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402381">Filtering Overview</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402529">Prefilters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402708">pstops</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402868">pstoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403119">imagetops and imagetoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403199">rasterto [printers specific]</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403411">CUPS Backends</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403719">The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403933">The Complete Picture</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403945"><code class="filename">mime.convs</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404006"><span class="quote">“<span class="quote">Raw</span>”</span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404106">application/octet-stream Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404631"><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405347">Sources of CUPS Drivers/PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405456">Printing with Interface Scripts</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id405534">Network Printing (Purely Windows)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id405549">From Windows Clients to an NT Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405607">Driver Execution on the Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405672">Driver Execution on the Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id405771">Network Printing (Windows Clients and UNIX/Samba Print -Servers)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id405787">From Windows Clients to a CUPS/Samba Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405962">Samba Receiving Job-Files and Passing Them to CUPS</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406034">Network PostScript RIP</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406112">PPDs for Non-PS Printers on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406149">PPDs for Non-PS Printers on Windows</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406210">Windows Terminal Servers (WTS) as CUPS Clients</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406222">Printer Drivers Running in <span class="quote">“<span class="quote">Kernel Mode</span>”</span> Cause Many -Problems</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406253">Workarounds Impose Heavy Limitations</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406267">CUPS: A <span class="quote">“<span class="quote">Magical Stone</span>”</span>?</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406382">Configuring CUPS for Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406400"><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406488">Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406765">CUPS <span class="quote">“<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406987">Recognizing Different Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407098">Acquiring the Adobe Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407118">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407173">Caveats to Be Considered</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407647">Run cupsaddsmb (Quiet Mode)</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407782">Run cupsaddsmb with Verbose Output</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407885">Understanding cupsaddsmb</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408021">How to Recognize If cupsaddsmb Completed Successfully</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408132">cupsaddsmb with a Samba PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408209">cupsaddsmb Flowchart</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-avoidps1">Avoiding Critical PostScript Driver Settings on the Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408822">Understanding the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408914">Producing an Example by Querying a Windows Box</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410123">Troubleshooting Revisited</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410254">The Printing <code class="filename">*.tdb</code> Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410454">Trivial Database Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410516">Binary Format</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410577">Losing <code class="filename">*.tdb</code> Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410623">Using <code class="literal">tdbbackup</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410895">foomatic-rip and Foomatic Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id411599">foomatic-rip and Foomatic PPD Download and Installation</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412022">Page Accounting with CUPS</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412052">Setting Up Quotas</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412102">Correct and Incorrect Accounting</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412266">The page_log File Syntax</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412406">Possible Shortcomings</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412465">Future Developments</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412500">Other Accounting Tools</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412512">Additional Material</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id412700">Autodeletion or Preservation of CUPS Spool Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412773">CUPS Configuration Settings Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412850">Preconditions</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412978">Manual Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id413279">More CUPS Filtering Chains</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id413388">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id413394">Windows 9x/Me Client Can't Install Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#root-ask-loop"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Keeps Asking for Root Password in Never-ending Loop</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413464"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> or <span class="quote">“<span class="quote">rpcclient addriver</span>”</span> Emit Error</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413500"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Errors</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413571">Client Can't Connect to Samba Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413594">New Account Reconnection from Windows 200x/XP Troubles</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413674">Avoid Being Connected to the Samba Server as the Wrong User</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413721">Upgrading to CUPS Drivers from Adobe Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413755">Can't Use <span class="quote">“<span class="quote">cupsaddsmb</span>”</span> on Samba Server, Which Is a PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413790">Deleted Windows 200x Printer Driver Is Still Shown</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413821">Windows 200x/XP Local Security Policies</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413852">Administrator Cannot Install Printers for All Local Users</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413888">Print Change, Notify Functions on NT Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413911">Windows XP SP1</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413953">Print Options for All Users Can't Be Set on Windows 200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414222">Most Common Blunders in Driver Settings on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414274"><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414320">Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414413">Print Queue Called <span class="quote">“<span class="quote">lp</span>”</span> Mishandles Print Jobs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414476">Location of Adobe PostScript Driver Files for <span class="quote">“<span class="quote">cupsaddsmb</span>”</span></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414527">Overview of the CUPS Printing Processes</a></span></dt></dl></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398810"></a>Introduction</h2></div></div></div><div class="sect2" title="Features and Benefits"><div class="titlepage"><div><div><h3 class="title"><a name="id398815"></a>Features and Benefits</h3></div></div></div><p> -<a class="indexterm" name="id398823"></a> - The Common UNIX Print System (<a class="ulink" href="http://www.cups.org/" target="_top">CUPS</a>) - has become quite popular. All major Linux distributions now ship it as their default printing - system. To many, it is still a mystical tool. Mostly, it just works. People tend to regard - it as a <span class="quote">“<span class="quote">black box</span>”</span> that they do not want to look into as long as it works. But once - there is a little problem, they have trouble finding out where to start debugging it. Refer to - <a class="link" href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing</a>, which contains much information - that is also relevant to CUPS. - </p><p> -<a class="indexterm" name="id398853"></a> - CUPS sports quite a few unique and powerful features. While its basic functions may be grasped quite - easily, they are also new. Because it is different from other, more traditional printing systems, it is best - not to try to apply any prior knowledge about printing to this new system. Rather, try to understand CUPS from - the beginning. This documentation will lead you to a complete understanding of CUPS. Let's start with the most - basic things first. - </p></div><div class="sect2" title="Overview"><div class="titlepage"><div><div><h3 class="title"><a name="id398866"></a>Overview</h3></div></div></div><p> -<a class="indexterm" name="id398874"></a> -<a class="indexterm" name="id398881"></a> -<a class="indexterm" name="id398888"></a> -<a class="indexterm" name="id398894"></a> -<a class="indexterm" name="id398901"></a> -<a class="indexterm" name="id398911"></a> -<a class="indexterm" name="id398920"></a> -<a class="indexterm" name="id398927"></a> - CUPS is more than just a print spooling system. It is a complete printer management system that - complies with the new Internet Printing Protocol (IPP). IPP is an industry and Internet Engineering Task Force - (IETF) standard for network printing. Many of its functions can be managed remotely (or locally) via a Web - browser (giving you platform-independent access to the CUPS print server). Additionally, it has the - traditional command line and several more modern GUI interfaces (GUI interfaces developed by third parties, - like KDE's overwhelming <a class="ulink" href="http://printing.kde.org/" target="_top">KDEPrint</a>). - </p><p> -<a class="indexterm" name="id398948"></a> -<a class="indexterm" name="id398955"></a> - CUPS allows creation of <span class="emphasis"><em>raw</em></span> printers (i.e., no print file format translation) as - well as <span class="emphasis"><em>smart</em></span> printers (i.e., CUPS does file format conversion as required for the - printer). In many ways, this gives CUPS capabilities similar to the MS Windows print monitoring system. Of - course, if you are a CUPS advocate, you would argue that CUPS is better! In any case, let us now explore how - to configure CUPS for interfacing with MS Windows print clients via Samba. - </p></div></div><div class="sect1" title="Basic CUPS Support Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398976"></a>Basic CUPS Support Configuration</h2></div></div></div><p> -<a class="indexterm" name="id398984"></a> -<a class="indexterm" name="id398990"></a> -<a class="indexterm" name="id398997"></a> -<a class="indexterm" name="id399004"></a> -<a class="indexterm" name="id399011"></a> -Printing with CUPS in the most basic <code class="filename">smb.conf</code> setup in Samba-3.0 (as was true for 2.2.x) requires just two -parameters: <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = cups</a> and <a class="link" href="smb.conf.5.html#PRINTCAP" target="_top">printcap = cups</a>. CUPS does not need a printcap file. However, the -<code class="filename">cupsd.conf</code> configuration file knows of two related directives that control how such a -file will be automatically created and maintained by CUPS for the convenience of third-party applications -(example: <em class="parameter"><code>Printcap /etc/printcap</code></em> and <em class="parameter"><code>PrintcapFormat BSD</code></em>). -Legacy programs often require the existence of a printcap file containing printer names or they will refuse to -print. Make sure CUPS is set to generate and maintain a printcap file. For details, see <code class="literal">man -cupsd.conf</code> and other CUPS-related documentation, like the wealth of documents regarding the CUPS -server itself available from the <a class="ulink" href="http://localhost:631/documentation.html" target="_top">CUPS</a> web site. - </p><div class="sect2" title="Linking smbd with libcups.so"><div class="titlepage"><div><div><h3 class="title"><a name="id399084"></a>Linking smbd with libcups.so</h3></div></div></div><p> -<a class="indexterm" name="id399092"></a> - Samba has a special relationship to CUPS. Samba can be compiled with CUPS library support. - Most recent installations have this support enabled. By default, CUPS linking is compiled - into smbd and other Samba binaries. Of course, you can use CUPS even - if Samba is not linked against <code class="filename">libcups.so</code> but - there are some differences in required or supported configuration. - </p><p> -<a class="indexterm" name="id399113"></a> -<a class="indexterm" name="id399119"></a> - When Samba is compiled and linked with <code class="filename">libcups</code>, <a class="link" href="smb.conf.5.html#PRINTCAP" target="_top">printcap = cups</a> - uses the CUPS API to list printers, submit jobs, query queues, and so on. Otherwise it maps to the System V - commands with an additional <code class="literal">-oraw</code> option for printing. On a Linux - system, you can use the <code class="literal">ldd</code> utility to find out if smbd has been linked with the - libcups library (<code class="literal">ldd</code> may not be present on other OS platforms, or its function may be embodied - by a different command): -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ldd `which smbd`</code></strong> -libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000) -libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) -libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) -[....] -</pre><p> - </p><p> -<a class="indexterm" name="id399184"></a> - The line <code class="computeroutput">libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)</code> shows - there is CUPS support compiled into this version of Samba. If this is the case, and printing = cups - is set, then <span class="emphasis"><em>any otherwise manually set print command in <code class="filename">smb.conf</code> is ignored</em></span>. - This is an important point to remember! - </p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Should it be necessary, for any reason, to set your own print commands, you can do this by setting - <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = sysv</a>. However, you will lose all the benefits - of tight CUPS-Samba integration. When you do this, you must manually configure the printing system commands - (most important: - <a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a>; other commands are - <a class="link" href="smb.conf.5.html#LPPAUSECOMMAND" target="_top">lppause command</a>, - <a class="link" href="smb.conf.5.html#LPRESUMECOMMAND" target="_top">lpresume command</a>, - <a class="link" href="smb.conf.5.html#LPQCOMMAND" target="_top">lpq command</a>, - <a class="link" href="smb.conf.5.html#LPRMCOMMAND" target="_top">lprm command</a>, - <a class="link" href="smb.conf.5.html#QUEUEPAUSECOMMAND" target="_top">queuepause command</a> and - <a class="link" href="smb.conf.5.html#QUEUERESUMECOMMAND" target="_top">queue resume command</a>). - </p></div></div><div class="sect2" title="Simple smb.conf Settings for CUPS"><div class="titlepage"><div><div><h3 class="title"><a name="id399310"></a>Simple <code class="filename">smb.conf</code> Settings for CUPS</h3></div></div></div><p> - To summarize, <a class="link" href="CUPS-printing.html#cups-exam-simple" title="Example 22.1. Simplest Printing-Related smb.conf">the Simplest Printing-Related - <code class="filename">smb.conf</code> file</a> shows the simplest printing-related setup for <code class="filename">smb.conf</code> to - enable basic CUPS support: - </p><div class="example"><a name="cups-exam-simple"></a><p class="title"><b>Example 22.1. Simplest Printing-Related smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id399370"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td><a class="indexterm" name="id399381"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id399393"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id399413"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id399424"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id399436"></a><em class="parameter"><code>browseable = no</code></em></td></tr><tr><td><a class="indexterm" name="id399447"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id399459"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id399470"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id399482"></a><em class="parameter"><code>printer admin = root, @ntadmins, @smbprintadm</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id399497"></a> -<a class="indexterm" name="id399504"></a> -<a class="indexterm" name="id399510"></a> - This is all you need for basic printing setup for CUPS. It will print all graphic, text, PDF, and PostScript - files submitted from Windows clients. However, most of your Windows users would not know how to send these - kinds of files to print without opening a GUI application. Windows clients tend to have local printer drivers - installed, and the GUI application's print buttons start a printer driver. Your users also rarely send files - from the command line. Unlike UNIX clients, they rarely submit graphic, text, or PDF formatted files directly - to the spooler. They nearly exclusively print from GUI applications with a <span class="quote">“<span class="quote">printer driver</span>”</span> - hooked between the application's native format and the print data stream. If the backend printer is not a - PostScript device, the print data stream is <span class="quote">“<span class="quote">binary,</span>”</span> sensible only for the target printer. Read - on to learn what problem this may cause and how to avoid it. - </p></div><div class="sect2" title="More Complex CUPS smb.conf Settings"><div class="titlepage"><div><div><h3 class="title"><a name="id399534"></a>More Complex CUPS <code class="filename">smb.conf</code> Settings</h3></div></div></div><p> - <a class="link" href="CUPS-printing.html#overridesettings" title="Example 22.2. Overriding Global CUPS Settings for One Printer">The Overriding Global CUPS Settings for One Printer example</a> - is a slightly more complex printing-related setup for <code class="filename">smb.conf</code>. It enables general CUPS printing - support for all printers, but defines one printer share, which is set up differently. - </p><div class="example"><a name="overridesettings"></a><p class="title"><b>Example 22.2. Overriding Global CUPS Settings for One Printer</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id399588"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id399599"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id399611"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id399631"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id399643"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id399654"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id399666"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id399677"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id399689"></a><em class="parameter"><code>printer admin = root, @ntadmins, @smbprintadm</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[special_printer]</code></em></td></tr><tr><td><a class="indexterm" name="id399709"></a><em class="parameter"><code>comment = A special printer with his own settings</code></em></td></tr><tr><td><a class="indexterm" name="id399721"></a><em class="parameter"><code>path = /var/spool/samba-special</code></em></td></tr><tr><td><a class="indexterm" name="id399733"></a><em class="parameter"><code>printing = sysv</code></em></td></tr><tr><td><a class="indexterm" name="id399744"></a><em class="parameter"><code>printcap = lpstat</code></em></td></tr><tr><td><a class="indexterm" name="id399756"></a><em class="parameter"><code>print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log ; rm %f </code></em></td></tr><tr><td><a class="indexterm" name="id399769"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id399781"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id399792"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id399804"></a><em class="parameter"><code>printer admin = kurt</code></em></td></tr><tr><td><a class="indexterm" name="id399815"></a><em class="parameter"><code>hosts deny = 0.0.0.0</code></em></td></tr><tr><td><a class="indexterm" name="id399827"></a><em class="parameter"><code>hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60</code></em></td></tr></table></div></div><br class="example-break"><p> - This special share is only for testing purposes. It does not write the print job to a file. It just logs the job parameters - known to Samba into the <code class="filename">/tmp/smbprn.log</code> file and deletes the job-file. Moreover, the - <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> of this share is <span class="quote">“<span class="quote">kurt</span>”</span> (not the <span class="quote">“<span class="quote">@ntadmins</span>”</span> group), - guest access is not allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it - allows access from only three hosts. To prevent CUPS from kicking in and taking over the print jobs for that share, we need to set - <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = sysv</a> and <a class="link" href="smb.conf.5.html#PRINTCAP" target="_top">printcap = lpstat</a>. - </p></div></div><div class="sect1" title="Advanced Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id399894"></a>Advanced Configuration</h2></div></div></div><p> - Before we delve into all the configuration options, let us clarify a few points. <span class="emphasis"><em>Network printing - needs to be organized and set up correctly</em></span>. This frequently doesn't happen. Legacy systems or small - business LAN environments often lack design and good housekeeping. - </p><div class="sect2" title="Central Spooling vs. “Peer-to-Peer” Printing"><div class="titlepage"><div><div><h3 class="title"><a name="id399907"></a>Central Spooling vs. <span class="quote">“<span class="quote">Peer-to-Peer</span>”</span> Printing</h3></div></div></div><p> -<a class="indexterm" name="id399919"></a> - <a class="indexterm" name="id399926"></a> - <a class="indexterm" name="id399935"></a> - Many small office or home networks, as well as badly organized larger environments, allow each client a direct - access to available network printers. This is generally a bad idea. It often blocks one client's access to the - printer when another client's job is printing. It might freeze the first client's application while it is - waiting to get rid of the job. Also, there are frequent complaints about various jobs being printed with their - pages mixed with each other. A better concept is the use of a print server: it routes all jobs through one - central system, which responds immediately, takes jobs from multiple concurrent clients, and transfers them to - the printer(s) in the correct order. - </p></div><div class="sect2" title="Raw Print Serving: Vendor Drivers on Windows Clients"><div class="titlepage"><div><div><h3 class="title"><a name="id399952"></a>Raw Print Serving: Vendor Drivers on Windows Clients</h3></div></div></div><p> - <a class="indexterm" name="id399960"></a> - <a class="indexterm" name="id399967"></a> - Most traditionally configured UNIX print servers acting on behalf of - Samba's Windows clients represented a really simple setup. Their only - task was to manage the <span class="quote">“<span class="quote">raw</span>”</span> spooling of all jobs handed to them by - Samba. This approach meant that the Windows clients were expected to - prepare the print job file that is ready to be sent to the printing - device. In this case, a native (vendor-supplied) Windows printer driver needs to - be installed on each and every client for the target device. - </p><p> -<a class="indexterm" name="id399984"></a> -<a class="indexterm" name="id399991"></a> - It is possible to configure CUPS, Samba, and your Windows clients in the - same traditional and simple way. When CUPS printers are configured - for raw print-through mode operation, it is the responsibility of the - Samba client to fully render the print job (file). The file must be - sent in a format that is suitable for direct delivery to the - printer. Clients need to run the vendor-provided drivers to do - this. In this case, CUPS will not do any print file format conversion - work. - </p><p> - The easiest printing configuration possible is raw print-through. - This is achieved by installation of the printer as if it were physically - attached to the Windows client. You then redirect output to a raw network - print queue. This procedure may be followed to achieve this: - </p><div class="procedure" title="Procedure 22.1. Configuration Steps for Raw CUPS Printing Support"><a name="id400009"></a><p class="title"><b>Procedure 22.1. Configuration Steps for Raw CUPS Printing Support</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> -<a class="indexterm" name="id400020"></a> - Edit <code class="filename">/etc/cups/mime.types</code> to uncomment the line - near the end of the file that has: -</p><pre class="screen"> -#application/octet-... -</pre><p> - </p></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id400046"></a> - Do the same for the file <code class="filename">/etc/cups/mime.convs</code>. - </p></li><li class="step" title="Step 3"><p> - Add a raw printer using the Web interface. Point your browser at - <code class="constant">http://localhost:631</code>. Enter Administration, and add - the printer following the prompts. Do not install any drivers for it. - Choose Raw. Choose queue name <code class="constant">Raw Queue</code>. - </p></li><li class="step" title="Step 4"><p> - In the <code class="filename">smb.conf</code> file <code class="constant">[printers]</code> section add - <a class="link" href="smb.conf.5.html#USECLIENTDRIVER" target="_top">use client driver = Yes</a>, - and in the <code class="constant">[global]</code> section add - <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = CUPS</a>, plus - <a class="link" href="smb.conf.5.html#PRINTCAP" target="_top">printcap = CUPS</a>. - </p></li><li class="step" title="Step 5"><p> - Install the printer as if it is a local printer, that is, Printing to <code class="constant">LPT1:</code>. - </p></li><li class="step" title="Step 6"><p> - Edit the configuration under the <span class="guimenu">Detail</span> tab and create a - <code class="constant">local port</code> that points to the raw printer queue that - you have configured above. Example: <code class="constant">\\server\raw_q</code>. - Here, the name <code class="constant">raw_q</code> is the name you gave the print - queue in the CUPS environment. - </p></li></ol></div></div><div class="sect2" title="Installation of Windows Client Drivers"><div class="titlepage"><div><div><h3 class="title"><a name="id400166"></a>Installation of Windows Client Drivers</h3></div></div></div><p> - The printer drivers on the Windows clients may be installed - in two functionally different ways: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Manually install the drivers locally on each client, - one by one; this yields the old LanMan style - printing and uses a <code class="filename">\\sambaserver\printershare</code> - type of connection.</p></li><li class="listitem"><p> - <a class="indexterm" name="id400193"></a> - Deposit and prepare the drivers (for later download) on - the print server (Samba); this enables the clients to use - <span class="quote">“<span class="quote">Point'n'Print</span>”</span> to get drivers semi-automatically installed the - first time they access the printer; with this method NT/200x/XP - clients use the <span class="emphasis"><em>SPOOLSS/MS-RPC</em></span> - type printing calls.</p></li></ul></div><p> - The second method is recommended for use over the first as it reduces the - administrative efforts and prevents that different versions of the drivers - are used accidentally. - </p></div><div class="sect2" title="Explicitly Enable “raw” Printing for application/octet-stream"><div class="titlepage"><div><div><h3 class="title"><a name="cups-raw"></a>Explicitly Enable <span class="quote">“<span class="quote">raw</span>”</span> Printing for <span class="emphasis"><em>application/octet-stream</em></span></h3></div></div></div><p> - <a class="indexterm" name="id400234"></a> - <a class="indexterm" name="id400241"></a> - <a class="indexterm" name="id400248"></a> - If you use the first option (drivers are installed on the client - side), there is one setting to take care of: CUPS needs to be told - that it should allow <span class="quote">“<span class="quote">raw</span>”</span> printing of deliberate (binary) file - formats. The CUPS files that need to be correctly set for raw mode - printers to work are: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><code class="filename">/etc/cups/mime.types</code></p></li><li class="listitem"><p><code class="filename">/etc/cups/mime.convs</code></p></li></ul></div><p> - Both contain entries (at the end of the respective files) that must be uncommented to allow RAW mode - operation. In <code class="filename">/etc/cups/mime.types</code>, make sure this line is present: -</p><pre class="programlisting"> -application/octet-stream -</pre><p> - <a class="indexterm" name="id400298"></a> - <a class="indexterm" name="id400305"></a> - In <code class="filename">/etc/cups/mime.convs</code>, have this line: - <a class="indexterm" name="id400318"></a> -</p><pre class="programlisting"> -application/octet-stream application/vnd.cups-raw 0 - -</pre><p> - If these two files are not set up correctly for raw Windows client - printing, you may encounter the dreaded <code class="computeroutput">Unable to - convert file 0</code> in your CUPS <code class="filename">error_log</code> file. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Editing the <code class="filename">mime.convs</code> and the <code class="filename">mime.types</code> file does - not <span class="emphasis"><em>enforce</em></span> <span class="quote">“<span class="quote">raw</span>”</span> printing, it only <span class="emphasis"><em>allows</em></span> it. - </p></div><p title="Background"><b>Background. </b> - <a class="indexterm" name="id400379"></a> -<a class="indexterm" name="id400386"></a> - That CUPS is a more security-aware printing system than traditional ones does not by default allow a user to - send deliberate (possibly binary) data to printing devices. This could be easily abused to launch a - <span class="quote">“<span class="quote">Denial of Service</span>”</span> attack on your printer(s), causing at least the loss of a lot of paper and - ink. <span class="quote">“<span class="quote">Unknown</span>”</span> data are tagged by CUPS as <em class="parameter"><code>MIME type: application/octet-stream</code></em> - and not allowed to go to the printer. By default, you can only send other (known) MIME types <span class="quote">“<span class="quote">raw.</span>”</span> - Sending data <span class="quote">“<span class="quote">raw</span>”</span> means that CUPS does not try to convert them and passes them to the printer - untouched. - </p><p> - This is all you need to know to get the CUPS/Samba combo printing - <span class="quote">“<span class="quote">raw</span>”</span> files prepared by Windows clients, which have vendor drivers - locally installed. If you are not interested in background information about - more advanced CUPS/Samba printing, simply skip the remaining sections - of this chapter. - </p></div><div class="sect2" title="Driver Upload Methods"><div class="titlepage"><div><div><h3 class="title"><a name="id400430"></a>Driver Upload Methods</h3></div></div></div><p> - This section describes three familiar methods, plus one new one, by which - printer drivers may be uploaded. - </p><p> - <a class="indexterm" name="id400442"></a> - If you want to use the MS-RPC-type printing, you must upload the - drivers onto the Samba server first (<em class="parameter"><code>[print$]</code></em> - share). For a discussion on how to deposit printer drivers on the - Samba host (so the Windows clients can download and use them via - <span class="quote">“<span class="quote">Point'n'Print</span>”</span>), please refer to the <a class="link" href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing - chapter</a> of this book. There you will find a description or reference to - three methods of preparing the client drivers on the Samba server: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id400475"></a> - The GUI, <span class="quote">“<span class="quote">Add Printer Wizard</span>”</span> <span class="emphasis"><em>upload-from-a-Windows-client</em></span> method. - </p></li><li class="listitem"><p> - The command line, <span class="quote">“<span class="quote">smbclient/rpcclient</span>”</span> upload-from-a-UNIX-workstation method. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id400502"></a> - The Imprints tool set method. - </p></li></ul></div><p> -<a class="indexterm" name="id400513"></a> - These three methods apply to CUPS all the same. The <code class="literal">cupsaddsmb</code> utility is a new and more - convenient way to load the Windows drivers into Samba and is provided if you use CUPS. - </p><p> - <code class="literal">cupsaddsmb</code> is discussed in much detail later in this chapter. But we first - explore the CUPS filtering system and compare the Windows and UNIX printing architectures. - </p></div></div><div class="sect1" title="Advanced Intelligent Printing with PostScript Driver Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400541"></a>Advanced Intelligent Printing with PostScript Driver Download</h2></div></div></div><p> - <a class="indexterm" name="id400549"></a> - We now know how to set up a <span class="quote">“<span class="quote">dump</span>”</span> print server, that is, a server that spools - print jobs <span class="quote">“<span class="quote">raw</span>”</span>, leaving the print data untouched. - </p><p> - You might need to set up CUPS in a smarter way. The reasons could be manifold: - </p><a class="indexterm" name="id400572"></a><a class="indexterm" name="id400578"></a><a class="indexterm" name="id400585"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Maybe your boss wants to get monthly statistics: Which - printer did how many pages? What was the average data size of a job? - What was the average print run per day? What are the typical hourly - peaks in printing? Which department prints how much?</p></li><li class="listitem"><p>Maybe you are asked to set up a print quota system: - Users should not be able to print more jobs once they have surpassed - a given limit per period.</p></li><li class="listitem"><p>Maybe your previous network printing setup is a mess - and must be re-organized from a clean beginning.</p></li><li class="listitem"><p>Maybe you are experiencing too many <span class="quote">“<span class="quote">blue screens</span>”</span> - originating from poorly debugged printer drivers running in NT <span class="quote">“<span class="quote">kernel mode</span>”</span>?</p></li></ul></div><p> - These goals cannot be achieved by a raw print server. To build a - server meeting these requirements, you'll first need to learn - how CUPS works and how you can enable its features. - </p><p> - What follows is the comparison of some fundamental concepts for - Windows and UNIX printing, then a description of the - CUPS filtering system, how it works, and how you can tweak it. - </p><div class="sect2" title="GDI on Windows, PostScript on UNIX"><div class="titlepage"><div><div><h3 class="title"><a name="gdipost"></a>GDI on Windows, PostScript on UNIX</h3></div></div></div><p> - <a class="indexterm" name="id400646"></a> - <a class="indexterm" name="id400652"></a> - Network printing is one of the most complicated and error-prone - day-to-day tasks any user or administrator may encounter. This is - true for all OS platforms, and there are reasons it is so. - </p><p> - <a class="indexterm" name="id400664"></a> - <a class="indexterm" name="id400671"></a> -<a class="indexterm" name="id400678"></a> -<a class="indexterm" name="id400685"></a> -<a class="indexterm" name="id400692"></a> - You can't expect to throw just any file format at a printer and have it get printed. A file format conversion - must take place. The problem is that there is no common standard for print file formats across all - manufacturers and printer types. While PostScript (trademark held by Adobe) and, to an extent, PCL (trademark - held by Hewlett-Packard) have developed into semi-official <span class="quote">“<span class="quote">standards</span>”</span> by being the most widely - used page description languages (PDLs), there are still many manufacturers who <span class="quote">“<span class="quote">roll their own</span>”</span> - (their reasons may be unacceptable license fees for using printer-embedded PostScript interpreters, and so on). - </p></div><div class="sect2" title="Windows Drivers, GDI, and EMF"><div class="titlepage"><div><div><h3 class="title"><a name="id400715"></a>Windows Drivers, GDI, and EMF</h3></div></div></div><p> - <a class="indexterm" name="id400723"></a> - <a class="indexterm" name="id400730"></a> - <a class="indexterm" name="id400737"></a> -<a class="indexterm" name="id400743"></a> - In Windows OS, the format conversion job is done by the printer drivers. On MS Windows OS platforms all - application programmers have at their disposal a built-in API, the graphical device interface (GDI), as part - and parcel of the OS itself to base themselves on. This GDI core is used as one common unified ground for all - Windows programs to draw pictures, fonts, and documents <span class="emphasis"><em>on screen</em></span> as well as <span class="emphasis"><em>on - paper</em></span> (print). Therefore, printer driver developers can standardize on a well-defined GDI output - for their own driver input. Achieving WYSIWYG (What You See Is What You Get) is relatively easy, because the - on-screen graphic primitives, as well as the on-paper drawn objects, come from one common source. This source, - the GDI, often produces a file format called Enhanced MetaFile (EMF). The EMF is processed by the printer - driver and converted to the printer-specific file format. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id400771"></a> -<a class="indexterm" name="id400778"></a> -<a class="indexterm" name="id400785"></a> - To the GDI foundation in MS Windows, Apple has chosen to put paper and screen output on a common foundation - for its (BSD-UNIX-based, did you know?) Mac OS X and Darwin operating <a class="indexterm" name="id400793"></a> <a class="indexterm" name="id400800"></a> - <a class="indexterm" name="id400807"></a> <a class="indexterm" name="id400813"></a> systems. - Apple's <span class="emphasis"><em>core graphic engine</em></span> uses a <span class="emphasis"><em>PDF</em></span> derivative for all display work. - </p></div><p> - The example in <a class="link" href="CUPS-printing.html#f1small" title="Figure 22.1. Windows Printing to a Local Printer.">Windows Printing to a Local Printer</a> illustrates local Windows - printing. - </p><div class="figure"><a name="f1small"></a><p class="title"><b>Figure 22.1. Windows Printing to a Local Printer.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/1small.png" alt="Windows Printing to a Local Printer."></div></div></div><br class="figure-break"></div><div class="sect2" title="UNIX Printfile Conversion and GUI Basics"><div class="titlepage"><div><div><h3 class="title"><a name="id400881"></a>UNIX Printfile Conversion and GUI Basics</h3></div></div></div><p> - <a class="indexterm" name="id400889"></a> - <a class="indexterm" name="id400896"></a> - <a class="indexterm" name="id400903"></a> - <a class="indexterm" name="id400909"></a> - In UNIX and Linux, there is no comparable layer built into the OS kernel(s) or the X (screen display) server. - Every application is responsible for itself to create its print output. Fortunately, most use PostScript and - that at least gives some common ground. Unfortunately, there are many different levels of quality for this - PostScript. And worse, there is a huge difference (and no common root) in the way the same document is - displayed on screen and how it is presented on paper. WYSIWYG is more difficult to achieve. This goes back to - the time, decades ago, when the predecessors of X.org, designing the UNIX foundations and protocols for - graphical user interfaces, refused to take responsibility for <span class="quote">“<span class="quote">paper output</span>”</span>, as some had - demanded at the time, and restricted itself to <span class="quote">“<span class="quote">on-screen only.</span>”</span> (For some years now, the - <span class="quote">“<span class="quote">Xprint</span>”</span> project has been under development, attempting to build printing support into the X - framework, including a PostScript and a PCL driver, but it is not yet ready for prime time.) You can see this - unfavorable inheritance up to the present day by looking into the various <span class="quote">“<span class="quote">font</span>”</span> directories on - your system; there are separate ones for fonts used for X display and fonts to be used on paper. - </p><p title="Background"><b>Background. </b> - <a class="indexterm" name="id400950"></a> -<a class="indexterm" name="id400956"></a> -<a class="indexterm" name="id400963"></a> -<a class="indexterm" name="id400970"></a> -<a class="indexterm" name="id400977"></a> -<a class="indexterm" name="id400984"></a> -<a class="indexterm" name="id400990"></a> -<a class="indexterm" name="id400997"></a> -<a class="indexterm" name="id401004"></a> -<a class="indexterm" name="id401011"></a> - The PostScript programming language is an <span class="quote">“<span class="quote">invention</span>”</span> by Adobe, but its specifications have been - published extensively. Its strength lies in its powerful abilities to describe graphical objects (fonts, - shapes, patterns, lines, curves, and dots), their attributes (color, linewidth), and the way to manipulate - (scale, distort, rotate, shift) them. Because of its open specification, anybody with the skill can start - writing his or her own implementation of a PostScript interpreter and use it to display PostScript files on - screen or on paper. Most graphical output devices are based on the concept of <span class="quote">“<span class="quote">raster images</span>”</span> or - <span class="quote">“<span class="quote">pixels</span>”</span> (one notable exception is pen plotters). Of course, you can look at a PostScript file in - its textual form and you will be reading its PostScript code, the language instructions that need to be - interpreted by a rasterizer. Rasterizers produce pixel images, which may be displayed on screen by a viewer - program or on paper by a printer. - </p></div><div class="sect2" title="PostScript and Ghostscript"><div class="titlepage"><div><div><h3 class="title"><a name="post-and-ghost"></a>PostScript and Ghostscript</h3></div></div></div><p> - <a class="indexterm" name="id401051"></a> - <a class="indexterm" name="id401058"></a> - <a class="indexterm" name="id401067"></a> -<a class="indexterm" name="id401076"></a> -<a class="indexterm" name="id401083"></a> - So UNIX is lacking a common ground for printing on paper and displaying on screen. Despite this unfavorable - legacy for UNIX, basic printing is fairly easy if you have PostScript printers at your disposal. The reason is - that these devices have a built-in PostScript language <span class="quote">“<span class="quote">interpreter,</span>”</span> also called a raster image - processor (RIP), (which makes them more expensive than other types of printers; throw PostScript toward them, - and they will spit out your printed pages. The RIP does all the hard work of converting the PostScript drawing - commands into a bitmap picture as you see it on paper, in a resolution as done by your printer. This is no - different than PostScript printing a file from a Windows origin. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id401106"></a> -<a class="indexterm" name="id401112"></a> -<a class="indexterm" name="id401119"></a> - Traditional UNIX programs and printing systems while using PostScript are largely not - PPD-aware. PPDs are <span class="quote">“<span class="quote">PostScript Printer Description</span>”</span> files. They enable you to specify and - control all options a printer supports: duplexing, stapling, and punching. Therefore, UNIX users for a long - time couldn't choose many of the supported device and job options, unlike Windows or Apple users. But now - there is CUPS. as illustrated in <a class="link" href="CUPS-printing.html#f2small" title="Figure 22.2. Printing to a PostScript Printer.">Printing to a PostScript Printer</a>. - </p></div><div class="figure"><a name="f2small"></a><p class="title"><b>Figure 22.2. Printing to a PostScript Printer.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/2small.png" alt="Printing to a PostScript Printer."></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id401193"></a> - However, there are other types of printers out there. These do not know how to print PostScript. They use - their own PDL, often proprietary. To print to them is much more demanding. Since your UNIX applications mostly - produce PostScript, and since these devices do not understand PostScript, you need to convert the print files - to a format suitable for your printer on the host before you can send it away. - </p></div><div class="sect2" title="Ghostscript: The Software RIP for Non-PostScript Printers"><div class="titlepage"><div><div><h3 class="title"><a name="id401205"></a>Ghostscript: The Software RIP for Non-PostScript Printers</h3></div></div></div><p> - <a class="indexterm" name="id401213"></a> - Here is where Ghostscript kicks in. Ghostscript is the traditional (and quite powerful) PostScript interpreter - used on UNIX platforms. It is a RIP in software, capable of doing a <span class="emphasis"><em>lot</em></span> of file format - conversions for a very broad spectrum of hardware devices as well as software file formats. Ghostscript - technology and drivers are what enable PostScript printing to non-PostScript hardware. This is shown in - <a class="link" href="CUPS-printing.html#f3small" title="Figure 22.3. Ghostscript as a RIP for Non-PostScript Printers.">Ghostscript as a RIP for Non-PostScript Printers</a>. - </p><div class="figure"><a name="f3small"></a><p class="title"><b>Figure 22.3. Ghostscript as a RIP for Non-PostScript Printers.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/3small.png" alt="Ghostscript as a RIP for Non-PostScript Printers."></div></div></div><br class="figure-break"><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> -<a class="indexterm" name="id401280"></a> -<a class="indexterm" name="id401286"></a> -<a class="indexterm" name="id401293"></a> - Use the <span class="quote">“<span class="quote">gs -h</span>”</span> command to check for all built-in <span class="quote">“<span class="quote">devices</span>”</span> on your Ghostscript - version. If you specify a parameter of <em class="parameter"><code>-sDEVICE=png256</code></em> on your Ghostscript command - line, you are asking Ghostscript to convert the input into a PNG file. Naming a <span class="quote">“<span class="quote">device</span>”</span> on the - command line is the most important single parameter to tell Ghostscript exactly how it should render the - input. New Ghostscript versions are released at fairly regular intervals, now by artofcode LLC. They are - initially put under the <span class="quote">“<span class="quote">AFPL</span>”</span> license, but re-released under the GNU GPL as soon as the next - AFPL version appears. GNU Ghostscript is probably the version installed on most Samba systems. But it has some - deficiencies. <a class="indexterm" name="id401326"></a> Therefore, ESP Ghostscript was developed as an enhancement over GNU Ghostscript, - with lots of bug-fixes, additional devices, and improvements. It is jointly maintained by developers from - CUPS, Gutenprint, MandrakeSoft, SuSE, Red Hat, and Debian. It includes the <span class="quote">“<span class="quote">cups</span>”</span> device - (essential to print to non-PS printers from CUPS). - </p></div></div><div class="sect2" title="PostScript Printer Description (PPD) Specification"><div class="titlepage"><div><div><h3 class="title"><a name="id401346"></a>PostScript Printer Description (PPD) Specification</h3></div></div></div><p> - <a class="indexterm" name="id401354"></a> -<a class="indexterm" name="id401360"></a> -<a class="indexterm" name="id401367"></a> - While PostScript in essence is a PDL to represent the page layout in a device-independent way, real-world - print jobs are always ending up being output on hardware with device-specific features. To take care of all - the differences in hardware and to allow for innovations, Adobe has specified a syntax and file format for - PostScript Printer Description (PPD) files. Every PostScript printer ships with one of these files. - </p><p> - PPDs contain all the information about general and special features of the - given printer model: Which different resolutions can it handle? Does - it have a duplexing unit? How many paper trays are there? What media - types and sizes does it take? For each item, it also names the special - command string to be sent to the printer (mostly inside the PostScript - file) in order to enable it. - </p><p> - Information from these PPDs is meant to be taken into account by the - printer drivers. Therefore, installed as part of the Windows - PostScript driver for a given printer is the printer's PPD. Where it - makes sense, the PPD features are presented in the drivers' UI dialogs - to display to the user a choice of print options. In the end, the - user selections are somehow written (in the form of special - PostScript, PJL, JCL, or vendor-dependent commands) into the PostScript - file created by the driver. - </p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - <a class="indexterm" name="id401396"></a> -<a class="indexterm" name="id401402"></a> - A PostScript file that was created to contain device-specific commands - for achieving a certain print job output (e.g., duplexed, stapled, and - punched) on a specific target machine may not print as expected, or - may not be printable at all on other models; it also may not be fit - for further processing by software (e.g., by a PDF distilling program). - </p></div></div><div class="sect2" title="Using Windows-Formatted Vendor PPDs"><div class="titlepage"><div><div><h3 class="title"><a name="id401414"></a>Using Windows-Formatted Vendor PPDs</h3></div></div></div><p> -<a class="indexterm" name="id401422"></a> -<a class="indexterm" name="id401429"></a> -<a class="indexterm" name="id401436"></a> - CUPS can handle all spec-compliant PPDs as supplied by the manufacturers for their PostScript models. Even if - a vendor does not mention our favorite OS in his or her manuals and brochures, you can safely trust this: - <span class="emphasis"><em>If you get the Windows NT version of the PPD, you can use it unchanged in CUPS</em></span> and thus - access the full power of your printer just like a Windows NT user could! - </p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> - To check the spec compliance of any PPD online, go to <a class="ulink" href="http://www.cups.org/testppd.php" target="_top">http://www.cups.org/testppd.php</a> and upload your PPD. You will - see the results displayed immediately. CUPS in all versions after 1.1.19 has a much stricter internal PPD - parsing and checking code enabled; in case of printing trouble, this online resource should be one of your - first pit stops. - </p></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - <a class="indexterm" name="id401469"></a> - <a class="indexterm" name="id401476"></a> - For real PostScript printers, <span class="emphasis"><em>do not</em></span> use the <span class="emphasis"><em>Foomatic</em></span> or - <span class="emphasis"><em>cupsomatic</em></span> PPDs from Linuxprinting.org. With these devices, the original vendor-provided - PPDs are always the first choice. - </p></div><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> -<a class="indexterm" name="id401499"></a> - If you are looking for an original vendor-provided PPD of a specific device, and you know that an NT4 box (or - any other Windows box) on your LAN has the PostScript driver installed, just use <code class="literal">smbclient - //NT4-box/print\$ -U username</code> to access the Windows directory where all printer driver files are - stored. First look in the <code class="filename">W32X86/2</code> subdirectory for the PPD you are seeking. - </p></div></div><div class="sect2" title="CUPS Also Uses PPDs for Non-PostScript Printers"><div class="titlepage"><div><div><h3 class="title"><a name="id401523"></a>CUPS Also Uses PPDs for Non-PostScript Printers</h3></div></div></div><p> -<a class="indexterm" name="id401531"></a> -<a class="indexterm" name="id401538"></a> -<a class="indexterm" name="id401545"></a> - CUPS also uses specially crafted PPDs to handle non-PostScript printers. These PPDs are usually not available - from the vendors (and no, you can't just take the PPD of a PostScript printer with the same model name and - hope it works for the non-PostScript version too). To understand how these PPDs work for non-PS printers, we - first need to dive deeply into the CUPS filtering and file format conversion architecture. Stay tuned. - </p></div></div><div class="sect1" title="The CUPS Filtering Architecture"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id401558"></a>The CUPS Filtering Architecture</h2></div></div></div><p> -<a class="indexterm" name="id401566"></a> -<a class="indexterm" name="id401573"></a> -<a class="indexterm" name="id401580"></a> -<a class="indexterm" name="id401587"></a> -<a class="indexterm" name="id401593"></a> -The core of the CUPS filtering system is based on Ghostscript. In addition to Ghostscript, CUPS uses some -other filters of its own. You (or your OS vendor) may have plugged in even more filters. CUPS handles all data -file formats under the label of various MIME types. Every incoming print file is subjected to an initial -autotyping. The autotyping determines its given MIME type. A given MIME type implies zero or more possible -filtering chains relevant to the selected target printer. This section discusses how MIME types recognition -and conversion rules interact. They are used by CUPS to automatically set up a working filtering chain for any -given input data format. -</p><p> -If CUPS rasterizes a PostScript file natively to a bitmap, this is done in two stages: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id401616"></a> -<a class="indexterm" name="id401623"></a> - The first stage uses a Ghostscript device named <span class="quote">“<span class="quote">cups</span>”</span> - (this is since version 1.1.15) and produces a generic raster format - called <span class="quote">“<span class="quote">CUPS raster</span>”</span>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id401643"></a> - The second stage uses a <span class="quote">“<span class="quote">raster driver</span>”</span> that converts - the generic CUPS raster to a device-specific raster. - </p></li></ul></div><p> -<a class="indexterm" name="id401658"></a> -<a class="indexterm" name="id401665"></a> -<a class="indexterm" name="id401672"></a> -Make sure your Ghostscript version has the <span class="quote">“<span class="quote">cups</span>”</span> device compiled in (check with <code class="literal">gs -h | -grep cups</code>). Otherwise you may encounter the dreaded <code class="computeroutput">Unable to convert file -0</code> in your CUPS error_log file. To have <span class="quote">“<span class="quote">cups</span>”</span> as a device in your Ghostscript, -you either need to patch GNU Ghostscript and recompile or use -<a class="indexterm" name="id401700"></a><a class="ulink" href="http://www.cups.org/ghostscript.php" target="_top">ESP Ghostscript</a>. The superior alternative is ESP -Ghostscript. It supports not just CUPS, but 300 other devices (while GNU Ghostscript supports only about 180). -Because of this broad output device support, ESP Ghostscript is the first choice for non-CUPS spoolers, too. -It is now recommended by Linuxprinting.org for all spoolers. -</p><p> -<a class="indexterm" name="id401720"></a> -<a class="indexterm" name="id401726"></a> -<a class="indexterm" name="id401733"></a> -<a class="indexterm" name="id401740"></a> -CUPS printers may be set up to use external rendering paths. One of the most common is provided by the -Foomatic/cupsomatic concept from <a class="ulink" href="http://www.linuxprinting.org/" target="_top">Linuxprinting.org</a>. This -uses the classical Ghostscript approach, doing everything in one step. It does not use the -<span class="quote">“<span class="quote">cups</span>”</span> device, but one of the many others. However, even for Foomatic/cupsomatic usage, best -results and <a class="indexterm" name="id401759"></a> broadest printer -model support is provided by ESP Ghostscript (more about Foomatic/cupsomatic, particularly the new version -called now <span class="emphasis"><em>foomatic-rip</em></span>, follows). -</p><div class="sect2" title="MIME Types and CUPS Filters"><div class="titlepage"><div><div><h3 class="title"><a name="id401774"></a>MIME Types and CUPS Filters</h3></div></div></div><p> - <a class="indexterm" name="id401782"></a> - <a class="indexterm" name="id401792"></a> -<a class="indexterm" name="id401798"></a> -<a class="indexterm" name="id401805"></a> -<a class="indexterm" name="id401812"></a> - CUPS reads the file <code class="filename">/etc/cups/mime.types</code> (and all other files carrying a - <code class="filename">*.types</code> suffix in the same directory) upon startup. These files contain the MIME type - recognition rules that are applied when CUPS runs its autotyping routines. The rule syntax is explained in the - man page for <code class="filename">mime.types</code> and in the comments section of the - <code class="filename">mime.types</code> file itself. A simple rule reads like this: - <a class="indexterm" name="id401845"></a> -</p><pre class="programlisting"> -application/pdf pdf string(0,%PDF) -</pre><p> -<a class="indexterm" name="id401858"></a> -<a class="indexterm" name="id401865"></a> - This means if a filename has a <code class="filename">.pdf</code> suffix or if the magic string - <span class="emphasis"><em>%PDF</em></span> is right at the beginning of the file itself (offset 0 from the start), then it is a - PDF file (<em class="parameter"><code>application/pdf</code></em>). Another rule is this: -</p><pre class="programlisting"> -application/postscript ai eps ps string(0,%!) string(0,<04>%!) -</pre><p> -<a class="indexterm" name="id401895"></a> -<a class="indexterm" name="id401902"></a> -<a class="indexterm" name="id401909"></a> -<a class="indexterm" name="id401916"></a> -<a class="indexterm" name="id401923"></a> -<a class="indexterm" name="id401929"></a> - If the filename has one of the suffixes <code class="filename">.ai</code>, <code class="filename">.eps</code>, - <code class="filename">.ps</code>, or if the file itself starts with one of the strings <span class="emphasis"><em>%!</em></span> or - <span class="emphasis"><em><04>%!</em></span>, it is a generic PostScript file - (<em class="parameter"><code>application/postscript</code></em>). - </p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -<a class="indexterm" name="id401972"></a> - Don't confuse the other mime.types files your system might be using - with the one in the <code class="filename">/etc/cups/</code> directory. - </p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id401990"></a> -<a class="indexterm" name="id401997"></a> -<a class="indexterm" name="id402004"></a> -<a class="indexterm" name="id402010"></a> -<a class="indexterm" name="id402017"></a> - There is an important difference between two similar MIME types in CUPS: one is - <em class="parameter"><code>application/postscript</code></em>, the other is - <em class="parameter"><code>application/vnd.cups-postscript</code></em>. While <em class="parameter"><code>application/postscript</code></em> is - meant to be device-independent, job options for the file are still outside the PS file content, embedded in - command line or environment variables by CUPS, <em class="parameter"><code>application/vnd.cups-postscript</code></em> may have - the job options inserted into the PostScript data itself (where applicable). The transformation of the generic - PostScript (<em class="parameter"><code>application/postscript</code></em>) to the device-specific version - (<em class="parameter"><code>application/vnd.cups-postscript</code></em>) is the responsibility of the CUPS - <em class="parameter"><code>pstops</code></em> filter. pstops uses information contained in the PPD to do the transformation. - </p></div><p> -<a class="indexterm" name="id402073"></a> -<a class="indexterm" name="id402080"></a> -<a class="indexterm" name="id402087"></a> -<a class="indexterm" name="id402093"></a> -<a class="indexterm" name="id402100"></a> -<a class="indexterm" name="id402106"></a> -<a class="indexterm" name="id402113"></a> -<a class="indexterm" name="id402120"></a> -<a class="indexterm" name="id402126"></a> -<a class="indexterm" name="id402133"></a> -<a class="indexterm" name="id402140"></a> -<a class="indexterm" name="id402147"></a> -<a class="indexterm" name="id402154"></a> -<a class="indexterm" name="id402161"></a> -<a class="indexterm" name="id402167"></a> -<a class="indexterm" name="id402174"></a> - CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI, and - many image formats (GIF, PNG, TIFF, JPEG, Photo-CD, SUN-Raster, - PNM, PBM, SGI-RGB, and more) and their associated MIME types - with its filters. - </p></div><div class="sect2" title="MIME Type Conversion Rules"><div class="titlepage"><div><div><h3 class="title"><a name="id402185"></a>MIME Type Conversion Rules</h3></div></div></div><p> - <a class="indexterm" name="id402193"></a> - <a class="indexterm" name="id402200"></a> -<a class="indexterm" name="id402206"></a> -<a class="indexterm" name="id402213"></a> -<a class="indexterm" name="id402220"></a> - CUPS reads the file <code class="filename">/etc/cups/mime.convs</code> - (and all other files named with a <code class="filename">*.convs</code> - suffix in the same directory) upon startup. These files contain - lines naming an input MIME type, an output MIME type, a format - conversion filter that can produce the output from the input type, - and virtual costs associated with this conversion. One example line - reads like this: -</p><pre class="programlisting"> -application/pdf application/postscript 33 pdftops -</pre><p> -<a class="indexterm" name="id402248"></a> - This means that the <em class="parameter"><code>pdftops</code></em> filter will take - <em class="parameter"><code>application/pdf</code></em> as input and produce - <em class="parameter"><code>application/postscript</code></em> as output; the virtual - cost of this operation is 33 CUPS-$. The next filter is more - expensive, costing 66 CUPS-$: - <a class="indexterm" name="id402274"></a> -</p><pre class="programlisting"> -application/vnd.hp-HPGL application/postscript 66 hpgltops -</pre><p> -<a class="indexterm" name="id402287"></a> - This is the <em class="parameter"><code>hpgltops</code></em>, which processes HP-GL - plotter files to PostScript. - <a class="indexterm" name="id402300"></a> -</p><pre class="programlisting"> -application/octet-stream -</pre><p> - Here are two more examples: - <a class="indexterm" name="id402313"></a> -<a class="indexterm" name="id402320"></a> -<a class="indexterm" name="id402327"></a> -<a class="indexterm" name="id402334"></a> -</p><pre class="programlisting"> -application/x-shell application/postscript 33 texttops -text/plain application/postscript 33 texttops -</pre><p> -<a class="indexterm" name="id402347"></a> - The last two examples name the <em class="parameter"><code>texttops</code></em> filter to work on - <em class="parameter"><code>text/plain</code></em> as well as on <em class="parameter"><code>application/x-shell</code></em>. (Hint: This - differentiation is needed for the syntax highlighting feature of <em class="parameter"><code>texttops</code></em>). - </p></div><div class="sect2" title="Filtering Overview"><div class="titlepage"><div><div><h3 class="title"><a name="id402381"></a>Filtering Overview</h3></div></div></div><p> - <a class="indexterm" name="id402389"></a> - There are many more combinations named in <code class="filename">mime.convs</code>. However, you are not limited to use - the ones predefined there. You can plug in any filter you like to the CUPS framework. It must meet, or must be - made to meet, some minimal requirements. If you find (or write) a cool conversion filter of some kind, make - sure it complies with what CUPS needs and put in the right lines in <code class="filename">mime.types</code> and - <code class="filename">mime.convs</code>; then it will work seamlessly inside CUPS. - </p><div class="sect3" title="Filter Requirements"><div class="titlepage"><div><div><h4 class="title"><a name="id402418"></a>Filter Requirements</h4></div></div></div><p> - The <span class="quote">“<span class="quote">CUPS requirements</span>”</span> for filters are simple. Take filenames or <code class="filename">stdin</code> as - input and write to <code class="filename">stdout</code>. They should take these arguments: - </p><div class="variablelist"><dl><dt><span class="term">printer</span></dt><dd><p> - The name of the printer queue (normally this is the name of the filter being run). - </p></dd><dt><span class="term">job</span></dt><dd><p> - The numeric job ID for the job being printed. - </p></dd><dt><span class="term">user</span></dt><dd><p> - The string from the originating-user-name attribute. - </p></dd><dt><span class="term">title</span></dt><dd><p> - The string from the job-name attribute. - </p></dd><dt><span class="term">copies</span></dt><dd><p> - The numeric value from the number-copies attribute. - </p></dd><dt><span class="term">options</span></dt><dd><p> - The job options. - </p></dd><dt><span class="term">filename</span></dt><dd><p> - (optionally) The print request file (if missing, filters expect data - fed through <code class="filename">stdin</code>). In most cases, it is easy to - write a simple wrapper script around existing filters to make them work with CUPS. - </p></dd></dl></div></div></div><div class="sect2" title="Prefilters"><div class="titlepage"><div><div><h3 class="title"><a name="id402529"></a>Prefilters</h3></div></div></div><p> - <a class="indexterm" name="id402537"></a> -<a class="indexterm" name="id402544"></a> -<a class="indexterm" name="id402551"></a> - As previously stated, PostScript is the central file format to any UNIX-based - printing system. From PostScript, CUPS generates raster data to feed - non-PostScript printers. - </p><p> -<a class="indexterm" name="id402562"></a> -<a class="indexterm" name="id402569"></a> -<a class="indexterm" name="id402576"></a> -<a class="indexterm" name="id402583"></a> -<a class="indexterm" name="id402589"></a> -<a class="indexterm" name="id402596"></a> -<a class="indexterm" name="id402603"></a> -<a class="indexterm" name="id402609"></a> -<a class="indexterm" name="id402616"></a> -<a class="indexterm" name="id402623"></a> - But what happens if you send one of the supported non-PS formats to print? Then CUPS runs - <span class="quote">“<span class="quote">prefilters</span>”</span> on these input formats to generate PostScript first. There are prefilters to create - PostScript from ASCII text, PDF, DVI, or HP-GL. The outcome of these filters is always of MIME type - <em class="parameter"><code>application/postscript</code></em> (meaning that any device-specific print options are not yet - embedded into the PostScript by CUPS and that the next filter to be called is pstops). Another prefilter is - running on all supported image formats, the <em class="parameter"><code>imagetops</code></em> filter. Its outcome is always of - MIME type <em class="parameter"><code>application/vnd.cups-postscript</code></em> (not application/postscript), meaning it has - the print options already embedded into the file. This is shown in <a class="link" href="CUPS-printing.html#f4small" title="Figure 22.4. Prefiltering in CUPS to Form PostScript.">Prefiltering in - CUPS to Form PostScript</a>. - </p><div class="figure"><a name="f4small"></a><p class="title"><b>Figure 22.4. Prefiltering in CUPS to Form PostScript.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/4small.png" width="135" alt="Prefiltering in CUPS to Form PostScript."></div></div></div><br class="figure-break"></div><div class="sect2" title="pstops"><div class="titlepage"><div><div><h3 class="title"><a name="id402708"></a>pstops</h3></div></div></div><p> -<a class="indexterm" name="id402716"></a> -<a class="indexterm" name="id402722"></a> -<a class="indexterm" name="id402729"></a> -<a class="indexterm" name="id402736"></a> -<a class="indexterm" name="id402743"></a> -<a class="indexterm" name="id402750"></a> -<a class="indexterm" name="id402756"></a> - <span class="emphasis"><em>pstops</em></span> is a filter that is used to convert <em class="parameter"><code>application/postscript</code></em> to - <em class="parameter"><code>application/vnd.cups-postscript</code></em>. As stated earlier, this filter inserts all - device-specific print options (commands to the printer to ask for the duplexing of output, or stapling and - punching it, and so on) into the PostScript file. An example is illustrated in <a class="link" href="CUPS-printing.html#f5small" title="Figure 22.5. Adding Device-Specific Print Options.">Adding Device-Specific Print Options</a>. - </p><div class="figure"><a name="f5small"></a><p class="title"><b>Figure 22.5. Adding Device-Specific Print Options.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/5small.png" width="135" alt="Adding Device-Specific Print Options."></div></div></div><br class="figure-break"><p> - This is not all. Other tasks performed by it are: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Selecting the range of pages to be printed (e.g., you can choose to - print only pages <span class="quote">“<span class="quote">3, 6, 8-11, 16, and 19-21</span>”</span>, or only odd-numbered - pages). - </p></li><li class="listitem"><p> - Putting two or more logical pages on one sheet of paper (the - so-called <span class="quote">“<span class="quote">number-up</span>”</span> function). - </p></li><li class="listitem"><p>Counting the pages of the job to insert the accounting - information into the <code class="filename">/var/log/cups/page_log</code>. - </p></li></ul></div></div><div class="sect2" title="pstoraster"><div class="titlepage"><div><div><h3 class="title"><a name="id402868"></a>pstoraster</h3></div></div></div><p> -<a class="indexterm" name="id402876"></a> -<a class="indexterm" name="id402882"></a> -<a class="indexterm" name="id402889"></a> - <em class="parameter"><code>pstoraster</code></em> is at the core of the CUPS filtering system. It is responsible for the first - stage of the rasterization process. Its input is of MIME type application/vnd.cups-postscript; its output is - application/vnd.cups-raster. This output format is not yet meant to be printable. Its aim is to serve as a - general-purpose input format for more specialized <span class="emphasis"><em>raster drivers</em></span> that are able to - generate device-specific printer data. This is shown in <a class="link" href="CUPS-printing.html#cups-raster" title="Figure 22.6. PostScript to Intermediate Raster Format.">the PostScript to - Intermediate Raster Format diagram</a>. - </p><div class="figure"><a name="cups-raster"></a><p class="title"><b>Figure 22.6. PostScript to Intermediate Raster Format.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/6small.png" width="135" alt="PostScript to Intermediate Raster Format."></div></div></div><br class="figure-break"><p> -<a class="indexterm" name="id402960"></a> -<a class="indexterm" name="id402967"></a> -<a class="indexterm" name="id402974"></a> -<a class="indexterm" name="id402981"></a> - CUPS raster is a generic raster format with powerful features. It is able to include per-page information, - color profiles, and more, to be used by the downstream raster drivers. Its MIME type is registered with IANA - and its specification is, of course, completely open. It is designed to make it quite easy and inexpensive for - manufacturers to develop Linux and UNIX raster drivers for their printer models should they choose to do so. - CUPS always takes care of the first stage of rasterization so these vendors do not need to care about - Ghostscript complications (in fact, there are currently more than one vendor financing the development of CUPS - raster drivers). This is illustrated in <a class="link" href="CUPS-printing.html#cups-raster2" title="Figure 22.7. CUPS-Raster Production Using Ghostscript.">the CUPS-Raster Production Using - Ghostscript illustration</a>. - </p><div class="figure"><a name="cups-raster2"></a><p class="title"><b>Figure 22.7. CUPS-Raster Production Using Ghostscript.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/7small.png" alt="CUPS-Raster Production Using Ghostscript."></div></div></div><br class="figure-break"><p> -<a class="indexterm" name="id403046"></a> -<a class="indexterm" name="id403053"></a> -<a class="indexterm" name="id403059"></a> -<a class="indexterm" name="id403066"></a> - CUPS versions before version 1.1.15 shipped a binary (or source code) standalone filter, named - <em class="parameter"><code>pstoraster</code></em>. <em class="parameter"><code>pstoraster</code></em>, which was derived from GNU Ghostscript - 5.50 and could be installed instead of and in addition to any GNU or AFPL Ghostscript package without - conflicting. - </p><p> - Since version 1.1.15, this feature has changed. The functions for this filter have been integrated back - into Ghostscript (now based on GNU Ghostscript version 7.05). The <em class="parameter"><code>pstoraster</code></em> filter is - now a simple shell script calling <code class="literal">gs</code> with the <code class="literal">-sDEVICE=cups</code> parameter. - If your Ghostscript fails when this command is executed: <code class="literal">gs -h |grep cups</code>, you might not - be able to print, update your Ghostscript. - </p></div><div class="sect2" title="imagetops and imagetoraster"><div class="titlepage"><div><div><h3 class="title"><a name="id403119"></a>imagetops and imagetoraster</h3></div></div></div><p> -<a class="indexterm" name="id403127"></a> -<a class="indexterm" name="id403134"></a> - In the section about prefilters, we mentioned the prefilter - that generates PostScript from image formats. The <em class="parameter"><code>imagetoraster</code></em> - filter is used to convert directly from image to raster, without the - intermediate PostScript stage. It is used more often than the previously - mentioned prefilters. We summarize in a flowchart the image file - filtering in <a class="link" href="CUPS-printing.html#small8" title="Figure 22.8. Image Format to CUPS-Raster Format Conversion.">the Image Format to CUPS-Raster Format Conversion illustration</a>. - </p><div class="figure"><a name="small8"></a><p class="title"><b>Figure 22.8. Image Format to CUPS-Raster Format Conversion.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/8small.png" alt="Image Format to CUPS-Raster Format Conversion."></div></div></div><br class="figure-break"></div><div class="sect2" title="rasterto [printers specific]"><div class="titlepage"><div><div><h3 class="title"><a name="id403199"></a>rasterto [printers specific]</h3></div></div></div><p> -<a class="indexterm" name="id403207"></a> -<a class="indexterm" name="id403214"></a> -<a class="indexterm" name="id403220"></a> -<a class="indexterm" name="id403227"></a> -<a class="indexterm" name="id403234"></a> -<a class="indexterm" name="id403241"></a> -<a class="indexterm" name="id403248"></a> -<a class="indexterm" name="id403254"></a> -<a class="indexterm" name="id403261"></a> -<a class="indexterm" name="id403268"></a> -<a class="indexterm" name="id403275"></a> - CUPS ships with quite a variety of raster drivers for processing CUPS raster. On my system, I find in - /usr/lib/cups/filter/ the following: <em class="parameter"><code>rastertoalps</code></em>, <em class="parameter"><code>rastertobj</code></em>, - <em class="parameter"><code>rastertoepson</code></em>, <em class="parameter"><code>rastertoescp</code></em>, <em class="parameter"><code>rastertopcl</code></em>, - <em class="parameter"><code>rastertoturboprint</code></em>, <em class="parameter"><code>rastertoapdk</code></em>, - <em class="parameter"><code>rastertodymo</code></em>, <em class="parameter"><code>rastertoescp</code></em>, <em class="parameter"><code>rastertohp</code></em>, - and <em class="parameter"><code>rastertoprinter</code></em>. Don't worry if you have fewer drivers than this; some of these are - installed by commercial add-ons to CUPS (like <em class="parameter"><code>rastertoturboprint</code></em>), and others (like - <em class="parameter"><code>rastertoprinter</code></em>) by third-party driver development projects (such as Gutenprint) - wanting to cooperate as closely as possible with CUPS. See <a class="link" href="CUPS-printing.html#small9" title="Figure 22.9. Raster to Printer-Specific Formats.">the Raster to - Printer-Specific Formats illustration</a>. - </p><div class="figure"><a name="small9"></a><p class="title"><b>Figure 22.9. Raster to Printer-Specific Formats.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/9small.png" alt="Raster to Printer-Specific Formats."></div></div></div><br class="figure-break"></div><div class="sect2" title="CUPS Backends"><div class="titlepage"><div><div><h3 class="title"><a name="id403411"></a>CUPS Backends</h3></div></div></div><p> -<a class="indexterm" name="id403419"></a> -<a class="indexterm" name="id403425"></a> - The last part of any CUPS filtering chain is a backend. Backends - are special programs that send the print-ready file to the final - device. There is a separate backend program for any transfer - protocol for sending print jobs over the network, and one for every local - interface. Every CUPS print queue needs to have a CUPS <span class="quote">“<span class="quote">device-URI</span>”</span> - associated with it. The device URI is the way to encode the backend - used to send the job to its destination. Network device-URIs use - two slashes in their syntax, local device URIs only one, as you can - see from the following list. Keep in mind that local interface names - may vary greatly from my examples, if your OS is not Linux: - </p><div class="variablelist"><dl><dt><span class="term">usb</span></dt><dd><p> - This backend sends print files to USB-connected printers. An - example for the CUPS device-URI to use is - <code class="filename">usb:/dev/usb/lp0</code>. - </p></dd><dt><span class="term">serial</span></dt><dd><p> - This backend sends print files to serially connected printers. - An example for the CUPS device-URI to use is - <code class="filename">serial:/dev/ttyS0?baud=11500</code>. - </p></dd><dt><span class="term">parallel</span></dt><dd><p> - This backend sends print files to printers connected to the - parallel port. An example for the CUPS device-URI to use is - <code class="filename">parallel:/dev/lp0</code>. - </p></dd><dt><span class="term">SCSI</span></dt><dd><p> - This backend sends print files to printers attached to the - SCSI interface. An example for the CUPS device-URI to use is - <code class="filename">scsi:/dev/sr1</code>. - </p></dd><dt><span class="term">lpd</span></dt><dd><p> - This backend sends print files to LPR/LPD-connected network - printers. An example for the CUPS device-URI to use is - <code class="filename">lpd://remote_host_name/remote_queue_name</code>. - </p></dd><dt><span class="term">AppSocket/HP JetDirect</span></dt><dd><p> - This backend sends print files to AppSocket (a.k.a., HP - JetDirect) connected network printers. An example for the CUPS - device-URI to use is - <code class="filename">socket://10.11.12.13:9100</code>. - </p></dd><dt><span class="term">ipp</span></dt><dd><p> - This backend sends print files to IPP-connected network - printers (or to other CUPS servers). Examples for CUPS device-URIs - to use are - <code class="filename">ipp:://192.193.194.195/ipp</code> - (for many HP printers) and - <code class="filename">ipp://remote_cups_server/printers/remote_printer_name</code>. - </p></dd><dt><span class="term">http</span></dt><dd><p> - This backend sends print files to HTTP-connected printers. - (The http:// CUPS backend is only a symlink to the ipp:// backend.) - Examples for the CUPS device-URIs to use are - <code class="filename">http:://192.193.194.195:631/ipp</code> - (for many HP printers) and - <code class="filename">http://remote_cups_server:631/printers/remote_printer_name</code>. - </p></dd><dt><span class="term">smb</span></dt><dd><p> - This backend sends print files to printers shared by a Windows - host. Examples of CUPS device-URIs that may be used includes: - </p><p> - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><code class="filename">smb://workgroup/server/printersharename</code></td></tr><tr><td><code class="filename">smb://server/printersharename</code></td></tr><tr><td><code class="filename">smb://username:password@workgroup/server/printersharename</code></td></tr><tr><td><code class="filename">smb://username:password@server/printersharename</code></td></tr></table><p> - </p><p> - The smb:// backend is a symlink to the Samba utility - <em class="parameter"><code>smbspool</code></em> (does not ship with CUPS). If the - symlink is not present in your CUPS backend directory, have your - root user create it: <code class="literal">ln -s `which smbspool' - /usr/lib/cups/backend/smb</code>. - </p></dd></dl></div><p> - It is easy to write your own backends as shell or Perl scripts if you - need any modification or extension to the CUPS print system. One - reason could be that you want to create <span class="quote">“<span class="quote">special</span>”</span> printers that send - the print jobs as email (through a <span class="quote">“<span class="quote">mailto:/</span>”</span> backend), convert them to - PDF (through a <span class="quote">“<span class="quote">pdfgen:/</span>”</span> backend) or dump them to <span class="quote">“<span class="quote">/dev/null</span>”</span>. (In - fact, I have the systemwide default printer set up to be connected to - a devnull:/ backend: there are just too many people sending jobs - without specifying a printer, and scripts and programs that do not name - a printer. The systemwide default deletes the job and sends a polite - email back to the $USER asking him or her to always specify the correct - printer name.) - </p><p> -<a class="indexterm" name="id403677"></a> -<a class="indexterm" name="id403684"></a> - Not all of the mentioned backends may be present on your system or - usable (depending on your hardware configuration). One test for all - available CUPS backends is provided by the <span class="emphasis"><em>lpinfo</em></span> - utility. Used with the <code class="option">-v</code> parameter, it lists - all available backends: - </p><pre class="screen"> - <code class="prompt">$ </code><strong class="userinput"><code>lpinfo -v</code></strong> - </pre></div><div class="sect2" title="The Role of cupsomatic/foomatic"><div class="titlepage"><div><div><h3 class="title"><a name="id403719"></a>The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></h3></div></div></div><p> - <a class="indexterm" name="id403731"></a> - <a class="indexterm" name="id403738"></a> -<a class="indexterm" name="id403745"></a> -<a class="indexterm" name="id403752"></a> -<a class="indexterm" name="id403758"></a> - <em class="parameter"><code>cupsomatic</code></em> filters may be the most widely used on CUPS - installations. You must be clear that these were not - developed by the CUPS people. They are a third-party add-on to - CUPS. They utilize the traditional Ghostscript devices to render jobs - for CUPS. When troubleshooting, you should know about the - difference. Here the whole rendering process is done in one stage, - inside Ghostscript, using an appropriate device for the target - printer. <em class="parameter"><code>cupsomatic</code></em> uses PPDs that are generated from the Foomatic - Printer & Driver Database at Linuxprinting.org. - </p><p> - You can recognize these PPDs from the line calling the - <em class="parameter"><code>cupsomatic</code></em> filter: -</p><pre class="programlisting"> -*cupsFilter: "application/vnd.cups-postscript 0 cupsomatic" -</pre><p> - You may find this line among the first 40 or so lines of the PPD - file. If you have such a PPD installed, the printer shows up in the - CUPS Web interface with a <em class="parameter"><code>foomatic</code></em> namepart for - the driver description. <em class="parameter"><code>cupsomatic</code></em> is a Perl script that runs - Ghostscript with all the complicated command line options - autoconstructed from the selected PPD and command line options given to - the print job. - </p><p> - <a class="indexterm" name="id403816"></a> -<a class="indexterm" name="id403822"></a> -<a class="indexterm" name="id403829"></a> -<a class="indexterm" name="id403836"></a> -<a class="indexterm" name="id403843"></a> -<a class="indexterm" name="id403850"></a> -<a class="indexterm" name="id403856"></a> -<a class="indexterm" name="id403863"></a> -<a class="indexterm" name="id403870"></a> -<a class="indexterm" name="id403877"></a> -<a class="indexterm" name="id403884"></a> - However, <em class="parameter"><code>cupsomatic</code></em> is now deprecated. Its PPDs (especially the first - generation of them, still in heavy use out there) are not meeting the - Adobe specifications. You might also suffer difficulties when you try - to download them with <span class="quote">“<span class="quote">Point'n'Print</span>”</span> to Windows clients. A better - and more powerful successor is now available: it is called <em class="parameter"><code>foomatic-rip</code></em>. To use - <em class="parameter"><code>foomatic-rip</code></em> as a filter with CUPS, you need the new type of PPDs, which - have a similar but different line: -</p><pre class="programlisting"> -*cupsFilter: "application/vnd.cups-postscript 0 foomatic-rip" -</pre><p> - The PPD-generating engine at Linuxprinting.org has been revamped. - The new PPDs comply with the Adobe spec. They also provide a - new way to specify different quality levels (hi-res photo, normal - color, grayscale, and draft) with a single click, whereas before you - could have required five or more different selections (media type, - resolution, inktype, and dithering algorithm). There is support for - custom-size media built in. There is support to switch - print options from page to page in the middle of a job. And the - best thing is that the new <code class="constant">foomatic-rip</code> works seamlessly with all - legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR, and so on), providing - for them access to use PPDs for their printing. - </p></div><div class="sect2" title="The Complete Picture"><div class="titlepage"><div><div><h3 class="title"><a name="id403933"></a>The Complete Picture</h3></div></div></div><p> - If you want to see an overview of all the filters and how they - relate to each other, the complete picture of the puzzle is at the end - of this chapter. - </p></div><div class="sect2" title="mime.convs"><div class="titlepage"><div><div><h3 class="title"><a name="id403945"></a><code class="filename">mime.convs</code></h3></div></div></div><p> - CUPS autoconstructs all possible filtering chain paths for any given - MIME type and every printer installed. But how does it decide in - favor of or against a specific alternative? (There may be cases - where there is a choice of two or more possible filtering chains for - the same target printer.) Simple. You may have noticed the figures in - the third column of the mime.convs file. They represent virtual costs - assigned to this filter. Every possible filtering chain will sum up to - a total <span class="quote">“<span class="quote">filter cost.</span>”</span> CUPS decides for the most <span class="quote">“<span class="quote">inexpensive</span>”</span> route. - </p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> -<a class="indexterm" name="id403972"></a> -<a class="indexterm" name="id403979"></a> - Setting <em class="parameter"><code>FilterLimit 1000</code></em> in - <code class="filename">cupsd.conf</code> will not allow more filters to - run concurrently than will consume a total of 1000 virtual filter - cost. This is an efficient way to limit the load of any CUPS - server by setting an appropriate <span class="quote">“<span class="quote">FilterLimit</span>”</span> value. A FilterLimit of - 200 allows roughly one job at a time, while a FilterLimit of 1000 allows - approximately five jobs maximum at a time. - </p></div></div><div class="sect2" title="“Raw” Printing"><div class="titlepage"><div><div><h3 class="title"><a name="id404006"></a><span class="quote">“<span class="quote">Raw</span>”</span> Printing</h3></div></div></div><p> -<a class="indexterm" name="id404016"></a> -<a class="indexterm" name="id404023"></a> -<a class="indexterm" name="id404029"></a> - You can tell CUPS to print (nearly) any file <span class="quote">“<span class="quote">raw</span>”</span>. <span class="quote">“<span class="quote">Raw</span>”</span> means it will not be - filtered. CUPS will send the file to the printer <span class="quote">“<span class="quote">as is</span>”</span> without bothering if the printer is able - to digest it. Users need to take care themselves that they send sensible data formats only. Raw printing can - happen on any queue if the <span class="quote">“<span class="quote"><em class="parameter"><code>-o raw</code></em></span>”</span> option is specified on the command - line. You can also set up raw-only queues by simply not associating any PPD with it. This command: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>lpadmin -P rawprinter -v socket://11.12.13.14:9100 -E</code></strong> -</pre><p> - sets up a queue named <span class="quote">“<span class="quote">rawprinter</span>”</span>, connected via the <span class="quote">“<span class="quote">socket</span>”</span> protocol (a.k.a. - <span class="quote">“<span class="quote">HP JetDirect</span>”</span>) to the device at IP address 11.12.1.3.14, using port 9100. (If you had added a - PPD with <code class="literal">-P /path/to/PPD</code> to this command line, you would have installed a - <span class="quote">“<span class="quote">normal</span>”</span> print queue.) - </p><p> - CUPS will automatically treat each job sent to a queue as a <span class="quote">“<span class="quote">raw</span>”</span> one - if it can't find a PPD associated with the queue. However, CUPS will - only send known MIME types (as defined in its own mime.types file) and - refuse others. - </p></div><div class="sect2" title="application/octet-stream Printing"><div class="titlepage"><div><div><h3 class="title"><a name="id404106"></a>application/octet-stream Printing</h3></div></div></div><p> -<a class="indexterm" name="id404114"></a> -<a class="indexterm" name="id404121"></a> - Any MIME type with no rule in the <code class="filename">/etc/cups/mime.types</code> file is regarded as unknown - or <em class="parameter"><code>application/octet-stream</code></em> and will not be - sent. Because CUPS refuses to print unknown MIME types by default, - you will probably have experienced that print jobs originating - from Windows clients were not printed. You may have found an error - message in your CUPS logs like: - </p><p><code class="computeroutput"> - Unable to convert file 0 to printable format for job - </code></p><p> - To enable the printing of <em class="parameter"><code>application/octet-stream</code></em> files, edit - these two files: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><code class="filename">/etc/cups/mime.convs</code></p></li><li class="listitem"><p><code class="filename">/etc/cups/mime.types</code></p></li></ul></div><p> -<a class="indexterm" name="id404181"></a> - Both contain entries (at the end of the respective files) that must be uncommented to allow raw mode - operation for <em class="parameter"><code>application/octet-stream</code></em>. In <code class="filename">/etc/cups/mime.types</code> - make sure this line is present: - <a class="indexterm" name="id404202"></a> -</p><pre class="programlisting"> -application/octet-stream -</pre><p> - This line (with no specific autotyping rule set) makes all files - not otherwise auto-typed a member of <em class="parameter"><code>application/octet-stream</code></em>. In - <code class="filename">/etc/cups/mime.convs</code>, have this - line: -</p><pre class="programlisting"> -application/octet-stream application/vnd.cups-raw 0 - -</pre><p> - <a class="indexterm" name="id404234"></a> - This line tells CUPS to use the <span class="emphasis"><em>Null Filter</em></span> - (denoted as <span class="quote">“<span class="quote">-</span>”</span>, doing nothing at all) on - <em class="parameter"><code>application/octet-stream</code></em>, and tag the result as - <em class="parameter"><code>application/vnd.cups-raw</code></em>. This last one is - always a green light to the CUPS scheduler to now hand the file over - to the backend connecting to the printer and sending it over. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Editing the <code class="filename">mime.convs</code> and the <code class="filename">mime.types</code> file does not - <span class="emphasis"><em>enforce</em></span> <span class="quote">“<span class="quote">raw</span>”</span> printing, it only <span class="emphasis"><em>allows</em></span> it. - </p></div><p title="Background"><b>Background. </b> -<a class="indexterm" name="id404298"></a> -<a class="indexterm" name="id404305"></a> -<a class="indexterm" name="id404311"></a> -<a class="indexterm" name="id404318"></a> - That CUPS is a more security-aware printing system than traditional ones - does not by default allow one to send deliberate (possibly binary) - data to printing devices. (This could be easily abused to launch a - Denial of Service attack on your printer(s), causing at least the loss - of a lot of paper and ink.) <span class="quote">“<span class="quote">Unknown</span>”</span> data are regarded by CUPS - as <span class="emphasis"><em>MIME type</em></span> <span class="emphasis"><em>application/octet-stream</em></span>. While you - <span class="emphasis"><em>can</em></span> send data <span class="quote">“<span class="quote">raw</span>”</span>, the MIME type for these must - be one that is known to CUPS and allowed by it. The file - <code class="filename">/etc/cups/mime.types</code> defines the <span class="quote">“<span class="quote">rules</span>”</span> of how CUPS - recognizes MIME types. The file <code class="filename">/etc/cups/mime.convs</code> decides which file - conversion filter(s) may be applied to which MIME types. - </p></div><div class="sect2" title="PostScript Printer Descriptions for Non-PostScript Printers"><div class="titlepage"><div><div><h3 class="title"><a name="id404367"></a>PostScript Printer Descriptions for Non-PostScript Printers</h3></div></div></div><p> - <a class="indexterm" name="id404375"></a> -<a class="indexterm" name="id404381"></a> -<a class="indexterm" name="id404388"></a> -<a class="indexterm" name="id404395"></a> -<a class="indexterm" name="id404402"></a> -<a class="indexterm" name="id404408"></a> - Originally PPDs were meant to be used for PostScript printers - only. Here, they help to send device-specific commands and settings - to the RIP, which processes the job file. CUPS has extended this - scope for PPDs to cover non-PostScript printers too. This was not - difficult, because it is a standardized file format. In a way - it was logical too: CUPS handles PostScript and uses a PostScript - RIP (Ghostscript) to process the job files. The only difference is that - a PostScript printer has the RIP built-in, for other types of - printers the Ghostscript RIP runs on the host computer. - </p><p> - PPDs for a non-PostScript printer have a few lines that are unique to - CUPS. The most important one looks similar to this: - <a class="indexterm" name="id404425"></a> -</p><pre class="programlisting"> -*cupsFilter: application/vnd.cups-raster 66 rastertoprinter -</pre><p> - It is the last piece in the CUPS filtering puzzle. This line tells the - CUPS daemon to use as a last filter <em class="parameter"><code>rastertoprinter</code></em>. This filter - should be served as input an <em class="parameter"><code>application/vnd.cups-raster</code></em> MIME type - file. Therefore, CUPS should autoconstruct a filtering chain, which - delivers as its last output the specified MIME type. This is then - taken as input to the specified <em class="parameter"><code>rastertoprinter</code></em> filter. After - the last filter has done its work (<em class="parameter"><code>rastertoprinter</code></em> is a Gutenprint - filter), the file should go to the backend, which sends it to the - output device. - </p><p> - CUPS by default ships only a few generic PPDs, but they are good for - several hundred printer models. You may not be able to control - different paper trays, or you may get larger margins than your - specific model supports. See Table 21.1<a class="link" href="CUPS-printing.html#cups-ppds" title="Table 22.1. PPDs Shipped with CUPS">“PPDs Shipped with CUPS”</a> for summary information. - </p><div class="table"><a name="cups-ppds"></a><p class="title"><b>Table 22.1. PPDs Shipped with CUPS</b></p><div class="table-contents"><table summary="PPDs Shipped with CUPS" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">PPD file</th><th align="justify">Printer type</th></tr></thead><tbody><tr><td align="left">deskjet.ppd</td><td align="justify">older HP inkjet printers and compatible</td></tr><tr><td align="left">deskjet2.ppd</td><td align="justify">newer HP inkjet printers and compatible </td></tr><tr><td align="left">dymo.ppd</td><td align="justify">label printers </td></tr><tr><td align="left">epson9.ppd</td><td align="justify">Epson 24-pin impact printers and compatible </td></tr><tr><td align="left">epson24.ppd</td><td align="justify">Epson 24-pin impact printers and compatible </td></tr><tr><td align="left">okidata9.ppd</td><td align="justify">Okidata 9-pin impact printers and compatible </td></tr><tr><td align="left">okidat24.ppd</td><td align="justify">Okidata 24-pin impact printers and compatible </td></tr><tr><td align="left">stcolor.ppd</td><td align="justify">older Epson Stylus Color printers </td></tr><tr><td align="left">stcolor2.ppd</td><td align="justify">newer Epson Stylus Color printers </td></tr><tr><td align="left">stphoto.ppd</td><td align="justify">older Epson Stylus Photo printers </td></tr><tr><td align="left">stphoto2.ppd</td><td align="justify">newer Epson Stylus Photo printers </td></tr><tr><td align="left">laserjet.ppd</td><td align="justify">all PCL printers </td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="cupsomatic/foomatic-rip Versus Native CUPS Printing"><div class="titlepage"><div><div><h3 class="title"><a name="id404631"></a><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</h3></div></div></div><p> - <a class="indexterm" name="id404644"></a> - <a class="indexterm" name="id404651"></a> - Native CUPS rasterization works in two steps: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id404665"></a> - First is the <em class="parameter"><code>pstoraster</code></em> step. It uses the special CUPS - <a class="indexterm" name="id404678"></a> - device from ESP Ghostscript 7.05.x as its tool. - </p></li><li class="listitem"><p> - Second is the <em class="parameter"><code>rasterdriver</code></em> step. It uses various - device-specific filters; there are several vendors who provide good - quality filters for this step. Some are free software, some are - shareware, and some are proprietary. - </p></li></ul></div><p> - Often this produces better quality (and has several more advantages) than other methods. - This is shown in <a class="link" href="CUPS-printing.html#cupsomatic-dia" title="Figure 22.10. cupsomatic/foomatic Processing Versus Native CUPS."> the cupsomatic/foomatic Processing Versus Native CUPS - illustration</a>. - </p><div class="figure"><a name="cupsomatic-dia"></a><p class="title"><b>Figure 22.10. cupsomatic/foomatic Processing Versus Native CUPS.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/10small.png" alt="cupsomatic/foomatic Processing Versus Native CUPS."></div></div></div><br class="figure-break"><p> - One other method is the <em class="parameter"><code>cupsomatic/foomatic-rip</code></em> - way. Note that <em class="parameter"><code>cupsomatic</code></em> is <span class="emphasis"><em>not</em></span> made by the CUPS - developers. It is an independent contribution to printing development, - made by people from Linuxprinting.org.<sup>[<a name="id404773" href="#ftn.id404773" class="footnote">6</a>]</sup> - <em class="parameter"><code>cupsomatic</code></em> is no longer developed, maintained, or supported. It now been - replaced by <em class="parameter"><code>foomatic-rip</code></em>. <em class="parameter"><code>foomatic-rip</code></em> is a complete rewrite - of the old <em class="parameter"><code>cupsomatic</code></em> idea, but very much improved and generalized to - other (non-CUPS) spoolers. An upgrade to <em class="parameter"><code>foomatic-rip</code></em> is strongly - advised, especially if you are upgrading to a recent version of CUPS, - too. - </p><p> - <a class="indexterm" name="id404820"></a> - <a class="indexterm" name="id404826"></a> - Like the old <em class="parameter"><code>cupsomatic</code></em> method, the <em class="parameter"><code>foomatic-rip</code></em> (new) method - from Linuxprinting.org uses the traditional Ghostscript print file processing, doing everything in a single - step. It therefore relies on all the other devices built into Ghostscript. The quality is as good (or bad) as - Ghostscript rendering is in other spoolers. The advantage is that this method supports many printer models not - supported (yet) by the more modern CUPS method. - </p><p> - Of course, you can use both methods side by side on one system (and even for one printer, if you set up - different queues) and find out which works best for you. - </p><p> -<a class="indexterm" name="id404856"></a> -<a class="indexterm" name="id404863"></a> -<a class="indexterm" name="id404870"></a> -<a class="indexterm" name="id404877"></a> -<a class="indexterm" name="id404884"></a> -<a class="indexterm" name="id404890"></a> - <em class="parameter"><code>cupsomatic</code></em> kidnaps the print file after the - <em class="parameter"><code>application/vnd.cups-postscript</code></em> stage and deviates it through the CUPS-external, - systemwide Ghostscript installation. Therefore, the print file bypasses the <em class="parameter"><code>pstoraster</code></em> - filter (and also bypasses the CUPS raster drivers <em class="parameter"><code>rastertosomething</code></em>). After Ghostscript - finished its rasterization, <em class="parameter"><code>cupsomatic</code></em> hands the rendered file directly to the CUPS - backend. <a class="link" href="CUPS-printing.html#cupsomatic-dia" title="Figure 22.10. cupsomatic/foomatic Processing Versus Native CUPS.">cupsomatic/foomatic Processing Versus Native - CUPS</a>, illustrates the difference between native CUPS rendering and the - <em class="parameter"><code>Foomatic/cupsomatic</code></em> method. - </p></div><div class="sect2" title="Examples for Filtering Chains"><div class="titlepage"><div><div><h3 class="title"><a name="id404945"></a>Examples for Filtering Chains</h3></div></div></div><p> - Here are a few examples of commonly occurring filtering chains to - illustrate the workings of CUPS. - </p><p> -<a class="indexterm" name="id404957"></a> -<a class="indexterm" name="id404964"></a> -<a class="indexterm" name="id404971"></a> -<a class="indexterm" name="id404978"></a> - Assume you want to print a PDF file to an HP JetDirect-connected - PostScript printer, but you want to print pages 3-5, 7, and 11-13 - only, and you want to print them <span class="quote">“<span class="quote">two-up</span>”</span> and <span class="quote">“<span class="quote">duplex</span>”</span>: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Your print options (page selection as required, two-up, - duplex) are passed to CUPS on the command line.</p></li><li class="listitem"><p>The (complete) PDF file is sent to CUPS and autotyped as - <em class="parameter"><code>application/pdf</code></em>.</p></li><li class="listitem"><p>The file therefore must first pass the - <em class="parameter"><code>pdftops</code></em> prefilter, which produces PostScript - MIME type <em class="parameter"><code>application/postscript</code></em> (a preview here - would still show all pages of the original PDF).</p></li><li class="listitem"><p>The file then passes the <em class="parameter"><code>pstops</code></em> - filter that applies the command line options: it selects pages - 2-5, 7, and 11-13, creates the imposed layout <span class="quote">“<span class="quote">two pages on one sheet</span>”</span>, and - inserts the correct <span class="quote">“<span class="quote">duplex</span>”</span> command (as defined in the printer's - PPD) into the new PostScript file; the file is now of PostScript MIME - type - <em class="parameter"><code>application/vnd.cups-postscript</code></em>.</p></li><li class="listitem"><p>The file goes to the <em class="parameter"><code>socket</code></em> - backend, which transfers the job to the printers.</p></li></ul></div><p> - The resulting filter chain, therefore, is as shown in <a class="link" href="CUPS-printing.html#pdftosocket" title="Figure 22.11. PDF to Socket Chain.">the PDF to socket chain - illustration</a>. - </p><a class="indexterm" name="id405080"></a><div class="figure"><a name="pdftosocket"></a><p class="title"><b>Figure 22.11. PDF to Socket Chain.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/pdftosocket.png" alt="PDF to Socket Chain."></div></div></div><br class="figure-break"><p> -<a class="indexterm" name="id405128"></a> -<a class="indexterm" name="id405135"></a> -<a class="indexterm" name="id405142"></a> - Assume you want to print the same filter to an USB-connected Epson Stylus Photo Printer installed with the CUPS - <code class="filename">stphoto2.ppd</code>. The first few filtering stages are nearly the same: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Your print options (page selection as required, two-up, - duplex) are passed to CUPS on the command line. - </p></li><li class="listitem"><p> - The (complete) PDF file is sent to CUPS and autotyped as - <em class="parameter"><code>application/pdf</code></em>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id405179"></a> -<a class="indexterm" name="id405185"></a> - The file must first pass the <em class="parameter"><code>pdftops</code></em> prefilter, which produces PostScript - MIME type <em class="parameter"><code>application/postscript</code></em> (a preview here would still show all - pages of the original PDF). - </p></li><li class="listitem"><p> -<a class="indexterm" name="id405209"></a> -<a class="indexterm" name="id405216"></a> - The file then passes the <span class="quote">“<span class="quote">pstops</span>”</span> filter that applies - the command line options: it selects the pages 2-5, 7, and 11-13, - creates the imposed layout <span class="quote">“<span class="quote">two pages on one sheet,</span>”</span> and inserts the - correct <span class="quote">“<span class="quote">duplex</span>”</span> command (oops this printer and PPD - do not support duplex printing at all, so this option will - be ignored) into the new PostScript file; the file is now of PostScript - MIME type <em class="parameter"><code>application/vnd.cups-postscript</code></em>. - </p></li><li class="listitem"><p> - The file then passes the <em class="parameter"><code>pstoraster</code></em> stage and becomes MIME type - <em class="parameter"><code>application/cups-raster</code></em>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id405267"></a> - Finally, the <em class="parameter"><code>rastertoepson</code></em> filter - does its work (as indicated in the printer's PPD), creating the - printer-specific raster data and embedding any user-selected - print options into the print data stream. - </p></li><li class="listitem"><p> - The file goes to the <em class="parameter"><code>usb</code></em> backend, which transfers the job to the printers. - </p></li></ul></div><p> - The resulting filter chain therefore is as shown in <a class="link" href="CUPS-printing.html#pdftoepsonusb" title="Figure 22.12. PDF to USB Chain.">the PDF to USB Chain - illustration</a>. - </p><div class="figure"><a name="pdftoepsonusb"></a><p class="title"><b>Figure 22.12. PDF to USB Chain.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/pdftoepsonusb.png" alt="PDF to USB Chain."></div></div></div><br class="figure-break"></div><div class="sect2" title="Sources of CUPS Drivers/PPDs"><div class="titlepage"><div><div><h3 class="title"><a name="id405347"></a>Sources of CUPS Drivers/PPDs</h3></div></div></div><p> - On the Internet you can now find many thousands of CUPS-PPD files - (with their companion filters), in many national languages - supporting more than 1,000 non-PostScript models. - </p><div class="itemizedlist"><a class="indexterm" name="id405360"></a><a class="indexterm" name="id405369"></a><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="ulink" href="http://www.easysw.com/printpro/" target="_top">ESP PrintPro</a> - (commercial, non-free) is packaged with more than 3,000 PPDs, ready for - successful use <span class="quote">“<span class="quote">out of the box</span>”</span> on Linux, Mac OS X, IBM-AIX, - HP-UX, Sun-Solaris, SGI-IRIX, Compaq Tru64, Digital UNIX, and - other commercial Unices (it is written by the CUPS developers - themselves and its sales help finance the further development of - CUPS, as they feed their creators). - </p></li><li class="listitem"><p> - The <a class="ulink" href="http://gimp-print.sourceforge.net/" target="_top">Gutenprint Project</a> - (GPL, free software) provides around 140 PPDs (supporting nearly 400 printers, many driven - to photo quality output), to be used alongside the Gutenprint CUPS filters. - </p></li><li class="listitem"><p> - <a class="ulink" href="http://www.turboprint.de/english.html/" target="_top">TurboPrint </a> (shareware, non-free) supports - roughly the same number of printers in excellent quality. - </p></li><li class="listitem"><p> - <a class="ulink" href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">OMNI </a> - (LPGL, free) is a package made by IBM, now containing support for more - than 400 printers, stemming from the inheritance of IBM OS/2 know-how - ported over to Linux (CUPS support is in a beta stage at present). - </p></li><li class="listitem"><p> - <a class="ulink" href="http://hpinkjet.sourceforge.net/" target="_top">HPIJS </a> (BSD-style licenses, free) - supports approximately 150 of HP's own printers and also provides - excellent print quality now (currently available only via the Foomatic path). - </p></li><li class="listitem"><p> - <a class="ulink" href="http://www.linuxprinting.org/" target="_top">Foomatic/cupsomatic </a> - (LPGL, free) from Linuxprinting.org provide PPDs for practically every Ghostscript - filter known to the world (including Omni, Gutenprint, and HPIJS). - </p></li></ul></div></div><div class="sect2" title="Printing with Interface Scripts"><div class="titlepage"><div><div><h3 class="title"><a name="id405456"></a>Printing with Interface Scripts</h3></div></div></div><p> -<a class="indexterm" name="id405464"></a> -<a class="indexterm" name="id405470"></a> - CUPS also supports the use of <span class="quote">“<span class="quote">interface scripts</span>”</span> as known from - System V AT&T printing systems. These are often used for PCL - printers, from applications that generate PCL print jobs. Interface - scripts are specific to printer models. They have a role similar to - PPDs for PostScript printers. Interface scripts may inject the Escape - sequences as required into the print data stream if the user, for example, selects - a certain paper tray, or changes paper orientation, or uses A3 - paper. Interface scripts are practically unknown in the Linux - realm. On HP-UX platforms they are more often used. You can use any - working interface script on CUPS too. Just install the printer with - the <code class="literal">-i</code> option: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p pclprinter -v socket://11.12.13.14:9100 \ - -i /path/to/interface-script</code></strong> -</pre><p> - Interface scripts might be the <span class="quote">“<span class="quote">unknown animal</span>”</span> to many. However, - with CUPS they provide the easiest way to plug in your own custom-written filtering - script or program into one specific print queue (some information about the traditional - use of interface scripts is found at - <a class="ulink" href="http://playground.sun.com/printing/documentation/interface.html" target="_top"> - http://playground.sun.com/printing/documentation/interface.html</a>). - </p></div></div><div class="sect1" title="Network Printing (Purely Windows)"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id405534"></a>Network Printing (Purely Windows)</h2></div></div></div><p> -Network printing covers a lot of ground. To understand what exactly -goes on with Samba when it is printing on behalf of its Windows -clients, let's first look at a <span class="quote">“<span class="quote">purely Windows</span>”</span> setup: Windows clients -with a Windows NT print server. -</p><div class="sect2" title="From Windows Clients to an NT Print Server"><div class="titlepage"><div><div><h3 class="title"><a name="id405549"></a>From Windows Clients to an NT Print Server</h3></div></div></div><p> -Windows clients printing to an NT-based print server have two -options. They may: -<a class="indexterm" name="id405558"></a> -<a class="indexterm" name="id405564"></a> -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Execute the driver locally and render the GDI output - (EMF) into the printer-specific format on their own. - </p></li><li class="listitem"><p>Send the GDI output (EMF) to the server, where the - driver is executed to render the printer-specific output. - </p></li></ul></div><p> -Both print paths are shown in the flowcharts in <a class="link" href="CUPS-printing.html#small11" title="Figure 22.13. Print Driver Execution on the Client."> -Print Driver Execution on the Client</a>, and -<a class="link" href="CUPS-printing.html#small12" title="Figure 22.14. Print Driver Execution on the Server.">Print Driver Execution on the Server</a>. -</p></div><div class="sect2" title="Driver Execution on the Client"><div class="titlepage"><div><div><h3 class="title"><a name="id405607"></a>Driver Execution on the Client</h3></div></div></div><p> -In the first case, the print server must spool the file as raw, meaning it shouldn't touch the job file and try -to convert it in any way. This is what a traditional UNIX-based print server can do too, and at a better -performance and more reliably than an NT print server. This is what most Samba administrators probably are -familiar with. One advantage of this setup is that this <span class="quote">“<span class="quote">spooling-only</span>”</span> print server may be used -even if no driver(s) for UNIX is available. It is sufficient to have the Windows client drivers available and -installed on the clients. This is illustrated in <a class="link" href="CUPS-printing.html#small11" title="Figure 22.13. Print Driver Execution on the Client.">the Print Driver Execution on the -Client diagram</a>. -</p><div class="figure"><a name="small11"></a><p class="title"><b>Figure 22.13. Print Driver Execution on the Client.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/11small.png" alt="Print Driver Execution on the Client."></div></div></div><br class="figure-break"></div><div class="sect2" title="Driver Execution on the Server"><div class="titlepage"><div><div><h3 class="title"><a name="id405672"></a>Driver Execution on the Server</h3></div></div></div><p> -<a class="indexterm" name="id405680"></a> -<a class="indexterm" name="id405687"></a> -<a class="indexterm" name="id405693"></a> -<a class="indexterm" name="id405700"></a> -<a class="indexterm" name="id405706"></a> -The other path executes the printer driver on the server. The client transfers print files in EMF format to -the server. The server uses the PostScript, PCL, ESC/P, or other driver to convert the EMF file into the -printer-specific language. It is not possible for UNIX to do the same. Currently, there is no program or -method to convert a Windows client's GDI output on a UNIX server into something a printer could understand. -This is illustrated in <a class="link" href="CUPS-printing.html#small12" title="Figure 22.14. Print Driver Execution on the Server.">the Print Driver Execution on the Server diagram</a>. -</p><div class="figure"><a name="small12"></a><p class="title"><b>Figure 22.14. Print Driver Execution on the Server.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/12small.png" alt="Print Driver Execution on the Server."></div></div></div><br class="figure-break"><p> -However, something similar is possible with CUPS, so read on. -</p></div></div><div class="sect1" title="Network Printing (Windows Clients and UNIX/Samba Print Servers)"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id405771"></a>Network Printing (Windows Clients and UNIX/Samba Print -Servers)</h2></div></div></div><p> -Since UNIX print servers <span class="emphasis"><em>cannot</em></span> execute the Win32 -program code on their platform, the picture is somewhat -different. However, this does not limit your options all that -much. On the contrary, you may have a way here to implement printing -features that are not possible otherwise. -</p><div class="sect2" title="From Windows Clients to a CUPS/Samba Print Server"><div class="titlepage"><div><div><h3 class="title"><a name="id405787"></a>From Windows Clients to a CUPS/Samba Print Server</h3></div></div></div><p> -Here is a simple recipe showing how you can take advantage of CUPS's -powerful features for the benefit of your Windows network printing -clients: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Let the Windows clients send PostScript to the CUPS - server.</p></li><li class="listitem"><p>Let the CUPS server render the PostScript into device-specific raster format.</p></li></ul></div><p> -This requires the clients to use a PostScript driver (even if the -printer is a non-PostScript model. It also requires that you have a -driver on the CUPS server. -</p><p> -First, to enable CUPS-based printing through Samba, the following options should be set in your <code class="filename">smb.conf</code> -file <em class="parameter"><code>[global]</code></em> section: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id405836"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id405848"></a><em class="parameter"><code>printcap = cups</code></em></td></tr></table><p> -When these parameters are specified, all manually set print directives (like <a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a> or <a class="link" href="smb.conf.5.html#LPPAUSECOMMAND" target="_top">lppause command</a>) in <code class="filename">smb.conf</code> (as well as in Samba itself) will be -ignored. Instead, Samba will directly interface with CUPS through its application program interface (API), as -long as Samba has been compiled with CUPS library (libcups) support. If Samba has not been compiled with CUPS -support, and if no other print commands are set up, then printing will use the <span class="emphasis"><em>System V</em></span> -AT&T command set, with the -oraw option automatically passing through (if you want your own defined print -commands to work with a Samba server that has CUPS support compiled in, simply use <a class="link" href="smb.conf.5.html#CLASSICALPRINTING" target="_top">classicalprinting = sysv</a>). This is illustrated in <a class="link" href="CUPS-printing.html#f13small" title="Figure 22.15. Printing via CUPS/Samba Server.">the Printing via -CUPS/Samba Server diagram</a>. -</p><div class="figure"><a name="f13small"></a><p class="title"><b>Figure 22.15. Printing via CUPS/Samba Server.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/13small.png" alt="Printing via CUPS/Samba Server."></div></div></div><br class="figure-break"></div><div class="sect2" title="Samba Receiving Job-Files and Passing Them to CUPS"><div class="titlepage"><div><div><h3 class="title"><a name="id405962"></a>Samba Receiving Job-Files and Passing Them to CUPS</h3></div></div></div><p> -Samba <span class="emphasis"><em>must</em></span> use its own spool directory (it is set by a line similar to <a class="link" href="smb.conf.5.html#PATH" target="_top">path = /var/spool/samba</a>, in the <em class="parameter"><code>[printers]</code></em> or <em class="parameter"><code>[printername]</code></em> section of <code class="filename">smb.conf</code>). Samba receives the job in its own spool space and passes it -into the spool directory of CUPS (the CUPS spool directory is set by the <em class="parameter"><code>RequestRoot</code></em> -directive in a line that defaults to <em class="parameter"><code>RequestRoot /var/spool/cups</code></em>). CUPS checks the -access rights of its spool directory and resets it to healthy values with every restart. We have seen quite a -few people who used a common spooling space for Samba and CUPS, and struggled for weeks with this -<span class="quote">“<span class="quote">problem.</span>”</span> -</p><p> -A Windows user authenticates only to Samba (by whatever means is -configured). If Samba runs on the same host as CUPS, you only need to -allow <span class="quote">“<span class="quote">localhost</span>”</span> to print. If it runs on different machines, you -need to make sure the Samba host gets access to printing on CUPS. -</p></div></div><div class="sect1" title="Network PostScript RIP"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id406034"></a>Network PostScript RIP</h2></div></div></div><p> -This section discusses the use of CUPS filters on the server configuration where -clients make use of a PostScript driver with CUPS-PPDs. -</p><p> -<a class="indexterm" name="id406048"></a> -<a class="indexterm" name="id406054"></a> -<a class="indexterm" name="id406061"></a> -PPDs can control all print device options. They are usually provided by the manufacturer if you own -a PostScript printer, that is. PPD files are always a component of PostScript printer drivers on MS Windows or -Apple Mac OS systems. They are ASCII files containing user-selectable print options, mapped to appropriate -PostScript, PCL, or PJL commands for the target printer. Printer driver GUI dialogs translate these options -<span class="quote">“<span class="quote">on the fly</span>”</span> into buttons and drop-down lists for the user to select. -</p><p> -CUPS can load, without any conversions, the PPD file from any Windows (NT is recommended) PostScript driver -and handle the options. There is a Web browser interface to the print options (select <a class="ulink" href="http://localhost:631/printers/" target="_top">http://localhost:631/printers/</a> and click on one -<span class="guibutton">Configure Printer</span> button to see it) or a command line interface (see <code class="literal">man -lpoptions</code> or see if you have <code class="literal">lphelp</code> on your system). There are also some -different GUI front-ends on Linux/UNIX, which can present PPD options to users. PPD options are normally meant -to be evaluated by the PostScript RIP on the real PostScript printer. -</p><div class="sect2" title="PPDs for Non-PS Printers on UNIX"><div class="titlepage"><div><div><h3 class="title"><a name="id406112"></a>PPDs for Non-PS Printers on UNIX</h3></div></div></div><p> -<a class="indexterm" name="id406120"></a> -CUPS does not limit itself to <span class="quote">“<span class="quote">real</span>”</span> PostScript printers in its use of PPDs. The CUPS developers -have extended the scope of the PPD concept to also describe available device and driver options for -non-PostScript printers through CUPS-PPDs. -</p><p> -This is logical, because CUPS includes a fully featured PostScript interpreter (RIP). This RIP is based on -Ghostscript. It can process all received PostScript (and additionally many other file formats) from clients. -All CUPS-PPDs geared to non-PostScript printers contain an additional line, starting with the keyword -<em class="parameter"><code>*cupsFilter</code></em>. This line tells the CUPS print system which printer-specific filter to use -for the interpretation of the supplied PostScript. Thus CUPS lets all its printers appear as PostScript -devices to its clients, because it can act as a PostScript RIP for those printers, processing the received -PostScript code into a proper raster print format. -</p></div><div class="sect2" title="PPDs for Non-PS Printers on Windows"><div class="titlepage"><div><div><h3 class="title"><a name="id406149"></a>PPDs for Non-PS Printers on Windows</h3></div></div></div><p> -<a class="indexterm" name="id406157"></a> -CUPS-PPDs can also be used on Windows clients, on top of a <span class="quote">“<span class="quote">core</span>”</span> PostScript driver (now -recommended is the CUPS PostScript Driver for Windows NT/200x/XP; you can also use the Adobe one, with -limitations). This feature enables CUPS to do a few tricks no other spooler can do: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Act as a networked PostScript RIP handling print files from all client platforms in a uniform way. - </p></li><li class="listitem"><p> - Act as a central accounting and billing server, since all files are passed through the pstops filter and are therefore - logged in the CUPS <code class="filename">page_log</code> file. <span class="emphasis"><em>Note:</em></span> this cannot happen with - <span class="quote">“<span class="quote">raw</span>”</span> print jobs, which always remain unfiltered per definition. - </p></li><li class="listitem"><p> - Enable clients to consolidate on a single PostScript driver, even for many different target printers. - </p></li></ul></div><p> -Using CUPS PPDs on Windows clients enables them to control all print job settings just as a UNIX client can do. -</p></div></div><div class="sect1" title="Windows Terminal Servers (WTS) as CUPS Clients"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id406210"></a>Windows Terminal Servers (WTS) as CUPS Clients</h2></div></div></div><p> -This setup may be of special interest to people experiencing major problems in WTS environments. WTS often -need a multitude of non-PostScript drivers installed to run their clients' variety of different printer -models. This often imposes the price of much increased instability. -</p><div class="sect2" title="Printer Drivers Running in “Kernel Mode” Cause Many Problems"><div class="titlepage"><div><div><h3 class="title"><a name="id406222"></a>Printer Drivers Running in <span class="quote">“<span class="quote">Kernel Mode</span>”</span> Cause Many -Problems</h3></div></div></div><p> -Windows NT printer drivers, which run in <span class="quote">“<span class="quote">kernel mode</span>”</span>, introduce a high risk for the stability -of the system if the driver is not really stable and well-tested. And there are a lot of bad drivers out -there! Especially notorious is the example of the PCL printer driver that had an additional sound module -running to notify users via soundcard of their finished jobs. Do I need to say that this one was also reliably -causing <span class="quote">“<span class="quote">blue screens of death</span>”</span> on a regular basis? -</p><p> -PostScript drivers are generally well-tested. They are not known to cause any problems, even though they also -run in kernel mode. This might be because until now there have been only two different PostScript drivers: the -one from Adobe and the one from Microsoft. Both are well-tested and are as stable as you can imagine on -Windows. The CUPS driver is derived from the Microsoft one. -</p></div><div class="sect2" title="Workarounds Impose Heavy Limitations"><div class="titlepage"><div><div><h3 class="title"><a name="id406253"></a>Workarounds Impose Heavy Limitations</h3></div></div></div><p> -In an attempt to work around problems, site administrators have resorted to restricting the -allowed drivers installed on their WTS to one generic PCL and one PostScript driver. This, however, restricts -the number of printer options available for clients to use. Often they can't get out more than simplex -prints from one standard paper tray, while their devices could do much better if driven by a different driver! -</p></div><div class="sect2" title="CUPS: A “Magical Stone”?"><div class="titlepage"><div><div><h3 class="title"><a name="id406267"></a>CUPS: A <span class="quote">“<span class="quote">Magical Stone</span>”</span>?</h3></div></div></div><p> -<a class="indexterm" name="id406278"></a> -<a class="indexterm" name="id406284"></a> -Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very elegant way to overcome all these -shortcomings. There are, depending on the version of Windows OS you use, up to three different PostScript -drivers now available: Adobe, Microsoft, and CUPS PostScript drivers. None of them is known to cause major -stability problems on WTS (even if used with many different PPDs). The clients will be able to (again) choose -paper trays, duplex printing, and other settings. However, there is a certain price for this too: a CUPS -server acting as a PostScript RIP for its clients requires more CPU and RAM than when just acting as a -<span class="quote">“<span class="quote">raw spooling</span>”</span> device. Plus, this setup is not yet widely tested, although the first feedbacks -look very promising. -</p></div><div class="sect2" title="PostScript Drivers with No Major Problems, Even in Kernel Mode"><div class="titlepage"><div><div><h3 class="title"><a name="id406303"></a>PostScript Drivers with No Major Problems, Even in Kernel -Mode</h3></div></div></div><p> -<a class="indexterm" name="id406311"></a> -<a class="indexterm" name="id406318"></a> -<a class="indexterm" name="id406325"></a> -<a class="indexterm" name="id406332"></a> -<a class="indexterm" name="id406339"></a> -<a class="indexterm" name="id406346"></a> -More recent printer drivers on W200x and XP no longer run in kernel mode (unlike Windows NT). However, both -operating systems can still use the NT drivers, running in kernel mode (you can roughly tell which is which as -the drivers in subdirectory <span class="quote">“<span class="quote">2</span>”</span> of <span class="quote">“<span class="quote">W32X86</span>”</span> are <span class="quote">“<span class="quote">old</span>”</span> ones). As was -said before, the Adobe as well as the Microsoft PostScript drivers are not known to cause any stability -problems. The CUPS driver is derived from the Microsoft one. There is a simple reason for this: the MS DDK -(Device Development Kit) for Windows NT (which used to be available at no cost to licensees of Visual Studio) -includes the source code of the Microsoft driver, and licensees of Visual Studio are allowed to use and modify -it for their own driver development efforts. This is what the CUPS people have done. The license does not -allow them to publish the whole of the source code. However, they have released the <span class="quote">“<span class="quote">diff</span>”</span> under -the GPL, and if you are the owner of an <span class="quote">“<span class="quote">MS DDK for Windows NT,</span>”</span> you can check the driver -yourself. -</p></div></div><div class="sect1" title="Configuring CUPS for Driver Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id406382"></a>Configuring CUPS for Driver Download</h2></div></div></div><p> -As we have said before, all previously known methods to prepare client printer drivers on the Samba server for -download and Point'n'Print convenience of Windows workstations are working with CUPS, too. These methods were -described in <a class="link" href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing</a>. In reality, this is a pure Samba -business and relates only to the Samba-Windows client relationship. -</p><div class="sect2" title="cupsaddsmb: The Unknown Utility"><div class="titlepage"><div><div><h3 class="title"><a name="id406400"></a><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</h3></div></div></div><p> -<a class="indexterm" name="id406410"></a> -The <em class="parameter"><code>cupsaddsmb</code></em> utility (shipped with all current CUPS versions) is an alternative -method to transfer printer drivers into the Samba <em class="parameter"><code>[print$]</code></em> share. Remember, this -share is where clients expect drivers deposited and set up for download and installation. It makes the sharing -of any (or all) installed CUPS printers quite easy. <code class="literal">cupsaddsmb</code> can use the Adobe PostScript -driver as well as the newly developed CUPS PostScript driver for Windows NT/200x/XP. -<em class="parameter"><code>cupsaddsmb</code></em> does <span class="emphasis"><em>not</em></span> work with arbitrary vendor printer drivers, -but only with the <span class="emphasis"><em>exact</em></span> driver files that are named in its man page. -</p><p> -The CUPS printer driver is available from the CUPS download site. Its package name is -<code class="filename">cups-samba-[version].tar.gz</code>. It is preferred over the Adobe drivers because it has a -number of advantages: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>It supports a much more accurate page accounting.</p></li><li class="listitem"><p>It supports banner pages and page labels on all printers.</p></li><li class="listitem"><p>It supports the setting of a number of job IPP attributes - (such as job priority, page label, and job billing).</p></li></ul></div><p> -However, currently only Windows NT, 2000, and XP are supported by the -CUPS drivers. You will also need to get the respective part of the Adobe driver -if you need to support Windows 95, 98, and Me clients. -</p></div><div class="sect2" title="Prepare Your smb.conf for cupsaddsmb"><div class="titlepage"><div><div><h3 class="title"><a name="id406488"></a>Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></h3></div></div></div><p> -Prior to running <code class="literal">cupsaddsmb</code>, you need the settings in -<code class="filename">smb.conf</code> as shown in <a class="link" href="CUPS-printing.html#cupsadd-ex" title="Example 22.3. smb.conf for cupsaddsmb Usage">the <code class="filename">smb.conf</code> for cupsaddsmb Usage</a>. -</p><div class="example"><a name="cupsadd-ex"></a><p class="title"><b>Example 22.3. smb.conf for cupsaddsmb Usage</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id406557"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td><a class="indexterm" name="id406569"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id406580"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id406600"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id406612"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id406623"></a><em class="parameter"><code>browseable = no</code></em></td></tr><tr><td># setting depends on your requirements</td></tr><tr><td><a class="indexterm" name="id406638"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id406650"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id406661"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id406673"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id406694"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id406705"></a><em class="parameter"><code>path = /etc/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id406717"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id406728"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id406740"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id406751"></a><em class="parameter"><code>write list = root, @smbprintadm</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" title="CUPS “PostScript Driver for Windows NT/200x/XP”"><div class="titlepage"><div><div><h3 class="title"><a name="id406765"></a>CUPS <span class="quote">“<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</span></h3></div></div></div><p> -<a class="indexterm" name="id406775"></a> -CUPS users may get the exact same package from <a class="ulink" href="http://www.cups.org/software.html" target="_top">http://www.cups.org/software.html</a>. It is a separate package -from the CUPS-based software files, tagged as CUPS 1.1.x Windows NT/200x/XP Printer Driver for Samba (tar.gz, -192k). The filename to download is <code class="filename">cups-samba-1.1.x.tar.gz</code>. Upon untar and unzipping, it -will reveal these files: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>tar xvzf cups-samba-1.1.19.tar.gz</code></strong> -cups-samba.install -cups-samba.license -cups-samba.readme -cups-samba.remove -cups-samba.ss -</pre><p> -<a class="indexterm" name="id406818"></a> -<a class="indexterm" name="id406827"></a> -These have been packaged with the ESP meta-packager software EPM. The <code class="filename">*.install</code> and -<code class="filename">*.remove</code> files are simple shell scripts, which untar the <code class="filename">*.ss</code> (the -<code class="filename">*.ss</code> is nothing else but a tar archive, which can be untarred by <span class="quote">“<span class="quote">tar</span>”</span> too). -Then it puts the content into <code class="filename">/usr/share/cups/drivers/</code>. This content includes three -files: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>tar tv cups-samba.ss</code></strong> -cupsdrvr.dll -cupsui.dll -cups.hlp -</pre><p> -The <em class="parameter"><code>cups-samba.install</code></em> shell scripts are easy to -handle: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>./cups-samba.install</code></strong> -[....] -Installing software... -Updating file permissions... -Running post-install commands... -Installation is complete. -</pre><p> -The script should automatically put the driver files into the -<code class="filename">/usr/share/cups/drivers/</code> directory: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/</code></strong> -</pre><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -Due to a bug, one recent CUPS release puts the <code class="filename">cups.hlp</code> driver file -into<code class="filename">/usr/share/drivers/</code> instead of <code class="filename">/usr/share/cups/drivers/</code>. To work -around this, copy/move the file (after running the <code class="literal">./cups-samba.install</code> script) manually to -the correct place. -</p></div><p> -<a class="indexterm" name="id406970"></a> -This new CUPS PostScript driver is currently binary only, but free of charge. No complete source code is -provided (yet). The reason is that it has been developed with the help of the Microsoft DDK and compiled with -Microsoft Visual Studio 6. Driver developers are not allowed to distribute the whole of the source code as -free software. However, CUPS developers released the <span class="quote">“<span class="quote">diff</span>”</span> in source code under the GPL, so -anybody with a license for Visual Studio and a DDK will be able to compile for himself or herself. -</p></div><div class="sect2" title="Recognizing Different Driver Files"><div class="titlepage"><div><div><h3 class="title"><a name="id406987"></a>Recognizing Different Driver Files</h3></div></div></div><p> -The CUPS drivers do not support the older Windows 95/98/Me, but only the Windows NT/2000/XP client. -</p><p>Windows NT, 2000, and XP are supported by:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>cups.hlp</p></li><li class="listitem"><p>cupsdrvr.dll</p></li><li class="listitem"><p>cupsui.dll</p></li></ul></div><p> -Adobe drivers are available for the older Windows 95/98/Me as well as -for Windows NT/2000/XP clients. The set of files is different from the -different platforms. -</p><p>Windows 95, 98, and ME are supported by:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>ADFONTS.MFM</p></li><li class="listitem"><p>ADOBEPS4.DRV</p></li><li class="listitem"><p>ADOBEPS4.HLP</p></li><li class="listitem"><p>DEFPRTR2.PPD</p></li><li class="listitem"><p>ICONLIB.DLL</p></li><li class="listitem"><p>PSMON.DLL</p></li></ul></div><p>Windows NT, 2000, and XP are supported by:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>ADOBEPS5.DLL</p></li><li class="listitem"><p>ADOBEPSU.DLL</p></li><li class="listitem"><p>ADOBEPSU.HLP</p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id407080"></a> -If both the Adobe driver files and the CUPS driver files for the support of Windows NT/200x/XP are presently -installed on the server, the Adobe files will be ignored and the CUPS files will be used. If you prefer - for whatever reason to use Adobe-only drivers, move away the three CUPS driver files. -The Windows 9x/Me clients use the Adobe drivers in any case. -</p></div></div><div class="sect2" title="Acquiring the Adobe Driver Files"><div class="titlepage"><div><div><h3 class="title"><a name="id407098"></a>Acquiring the Adobe Driver Files</h3></div></div></div><p> -Acquiring the Adobe driver files seems to be unexpectedly difficult for many users. They are not available on -the Adobe Web site as single files, and the self-extracting and/or self-installing Windows-.exe is not easy to -locate either. You probably need to use the included native installer and run the installation process on one -client once. This will install the drivers (and one generic PostScript printer) locally on the client. When -they are installed, share the generic PostScript printer. After this, the client's <em class="parameter"><code>[print$]</code></em> share holds the Adobe files, which you can get with smbclient from the CUPS host. -</p></div><div class="sect2" title="ESP Print Pro PostScript Driver for Windows NT/200x/XP"><div class="titlepage"><div><div><h3 class="title"><a name="id407118"></a>ESP Print Pro PostScript Driver for Windows NT/200x/XP</h3></div></div></div><p> -<a class="indexterm" name="id407126"></a> -Users of the ESP Print Pro software are able to install the ESP print drivers package as an alternative to the -Adobe PostScript drivers. To do so, retrieve the driver files from the normal download area of the ESP Print -Pro software at <a class="ulink" href="http://www.easysw.com/software.html" target="_top">Easy Software</a> web site. -You need to locate the link labeled <span class="quote">“<span class="quote">SAMBA</span>”</span> among the <span class="guilabel">Download Printer Drivers for ESP -Print Pro 4.x</span> area and download the package. Once installed, you can prepare any driver by simply -highlighting the printer in the Printer Manager GUI and selecting <span class="guilabel">Export Driver...</span> from -the menu. Of course, you need to have prepared Samba beforehand to handle the driver files; that is, set up -the <em class="parameter"><code>[print$]</code></em> share, and so on. The ESP Print Pro package includes the CUPS driver -files as well as a (licensed) set of Adobe drivers for the Windows 95/98/Me client family. -</p></div><div class="sect2" title="Caveats to Be Considered"><div class="titlepage"><div><div><h3 class="title"><a name="id407173"></a>Caveats to Be Considered</h3></div></div></div><p> -<a class="indexterm" name="id407181"></a> -<a class="indexterm" name="id407187"></a> -<a class="indexterm" name="id407194"></a> -<a class="indexterm" name="id407201"></a> -Once you have run the install script (and possibly manually moved the <code class="filename">cups.hlp</code> file to -<code class="filename">/usr/share/cups/drivers/</code>), the driver is ready to be put into Samba's <em class="parameter"><code>[print$]</code></em> share (which often maps to <code class="filename">/etc/samba/drivers/</code> and contains a -subdirectory tree with <span class="emphasis"><em>WIN40</em></span> and <span class="emphasis"><em>W32X86</em></span> branches). You do this by -running <code class="literal">cupsaddsmb</code> (see also <code class="literal">man cupsaddsmb</code> for CUPS since release -1.1.16). -</p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> -<a class="indexterm" name="id407257"></a> -<a class="indexterm" name="id407264"></a> -You may need to put root into the smbpasswd file by running <code class="literal">smbpasswd</code>; this is especially -important if you should run this whole procedure for the first time and are not working in an environment -where everything is configured for <span class="emphasis"><em>single sign-on</em></span> to a Windows Domain Controller. -</p></div><p> -Once the driver files are in the <em class="parameter"><code>[print$]</code></em> share and are initialized, they are ready -to be downloaded and installed by the Windows NT/200x/XP clients. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Win 9x/Me clients will not work with the CUPS PostScript driver. For these you still need to use the -<code class="filename">ADOBE*.*</code> drivers, as previously stated. -</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -It is not harmful if you still have the <code class="filename">ADOBE*.*</code> driver files from previous installations -in the <code class="filename">/usr/share/cups/drivers/</code> directory. The new <code class="literal">cupsaddsmb</code> (from -1.1.16) will automatically prefer its own drivers if it finds both. -</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id407333"></a> -<a class="indexterm" name="id407340"></a> -Should your Windows clients have had the old <code class="filename">ADOBE*.*</code> files for the Adobe PostScript -driver installed, the download and installation of the new CUPS PostScript driver for Windows NT/200x/XP will -fail at first. You need to wipe the old driver from the clients first. It is not enough to -<span class="quote">“<span class="quote">delete</span>”</span> the printer, because the driver files will still be kept by the clients and re-used if -you try to re-install the printer. To really get rid of the Adobe driver files on the clients, open the -<span class="guilabel">Printers</span> folder (possibly via <span class="guilabel">Start -> Settings -> Control Panel -> -Printers</span>), right-click on the folder background, and select <span class="guimenuitem">Server -Properties</span>. When the new dialog opens, select the <span class="guilabel">Drivers</span> tab. On the list -select the driver you want to delete and click the <span class="guilabel">Delete</span> button. This will only work if -there is not one single printer left that uses that particular driver. You need to <span class="quote">“<span class="quote">delete</span>”</span> all -printers using this driver in the <span class="guilabel">Printers</span> folder first. You will need Administrator -privileges to do this. -</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id407407"></a> -<a class="indexterm" name="id407416"></a> -Once you have successfully downloaded the CUPS PostScript driver to a client, you can easily switch all -printers to this one by proceeding as described in <a class="link" href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing -Support</a>. Either change a driver for an existing printer by running the <span class="guilabel">Printer -Properties</span> dialog, or use <code class="literal">rpcclient</code> with the <code class="literal">setdriver</code> -subcommand. -</p></div></div><div class="sect2" title="Windows CUPS PostScript Driver Versus Adobe Driver"><div class="titlepage"><div><div><h3 class="title"><a name="id407452"></a>Windows CUPS PostScript Driver Versus Adobe Driver</h3></div></div></div><p> -Are you interested in a comparison between the CUPS and the Adobe PostScript drivers? For our purposes, these -are the most important items that weigh in favor of CUPS: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>No hassle with the Adobe EULA.</p></li><li class="listitem"><p>No hassle with the question, <span class="quote">“<span class="quote">Where do I - get the ADOBE*.* driver files?</span>”</span></p></li><li class="listitem"><p> - <a class="indexterm" name="id407480"></a> - The Adobe drivers (on request of the printer PPD associated with them) often put a PJL header in front of the - main PostScript part of the print file. Thus, the print file starts with <em class="parameter"><code><1B - >%-12345X</code></em> or <em class="parameter"><code><escape>%-12345X</code></em> instead of - <em class="parameter"><code>%!PS</code></em>. This leads to the CUPS daemon autotyping the incoming file as a print-ready file, - not initiating a pass through the <em class="parameter"><code>pstops</code></em> filter (to speak more technically, it is not - regarded as the generic MIME-type <a class="indexterm" name="id407514"></a> - <em class="parameter"><code>application/postscript</code></em>, but as the more special MIME type - <a class="indexterm" name="id407527"></a> - <em class="parameter"><code>application/cups.vnd-postscript</code></em>), which therefore also leads to the page accounting in - <em class="parameter"><code>/var/log/cups/page_log</code></em> not receiving the exact number of pages; instead the dummy page - number of <span class="quote">“<span class="quote">1</span>”</span> is logged in a standard setup). - </p></li><li class="listitem"><p>The Adobe driver has more options to misconfigure the -<a class="indexterm" name="id407556"></a> - PostScript generated by it (like setting it inadvertently to - <span class="guilabel">Optimize for Speed</span> instead of - <span class="guilabel">Optimize for Portability</span>, which - could lead to CUPS being unable to process it).</p></li><li class="listitem"><p>The CUPS PostScript driver output sent by Windows -<a class="indexterm" name="id407580"></a> - clients to the CUPS server is guaranteed to autotype - as the generic MIME type <em class="parameter"><code>application/postscript</code></em>, - thus passing through the CUPS <em class="parameter"><code>pstops</code></em> filter and logging the - correct number of pages in the <code class="filename">page_log</code> for - accounting and quota purposes.</p></li><li class="listitem"><p> - <a class="indexterm" name="id407611"></a> - The CUPS PostScript driver supports the sending of additional standard (IPP) print options by Windows - NT/200x/XP clients. Such additional print options are naming the CUPS standard <span class="emphasis"><em>banner - pages</em></span> (or the custom ones, should they be installed at the time of driver download), using the CUPS - page-label option, setting a job priority, and setting the scheduled time of printing (with the option to - support additional useful IPP job attributes in the future). - </p></li><li class="listitem"><p>The CUPS PostScript driver supports the inclusion of - the new <em class="parameter"><code>*cupsJobTicket</code></em> comments at the - beginning of the PostScript file (which could be used in the future - for all sorts of beneficial extensions on the CUPS side, but which will - not disturb any other applications because they will regard it as a comment - and simply ignore it).</p></li><li class="listitem"><p>The CUPS PostScript driver will be the heart of the - fully fledged CUPS IPP client for Windows NT/200x/XP to be released soon - (probably alongside the first beta release for CUPS 1.2).</p></li></ul></div></div><div class="sect2" title="Run cupsaddsmb (Quiet Mode)"><div class="titlepage"><div><div><h3 class="title"><a name="id407647"></a>Run cupsaddsmb (Quiet Mode)</h3></div></div></div><p> -<a class="indexterm" name="id407655"></a> -<a class="indexterm" name="id407662"></a> -The <code class="literal">cupsaddsmb</code> command copies the needed files into your <em class="parameter"><code>[print$]</code></em> -share. Additionally, the PPD associated with this printer is copied from <code class="filename">/etc/cups/ppd/</code> -to <em class="parameter"><code>[print$]</code></em>. There the files wait for convenient Windows client installations via -Point'n'Print. Before we can run the command successfully, we need to be sure that we can authenticate toward -Samba. If you have a small network, you are probably using user-level security (<a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a>). -</p><p> -Here is an example of a successfully run <code class="literal">cupsaddsmb</code> command: -<a class="indexterm" name="id407717"></a> -<a class="indexterm" name="id407724"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -U root infotec_IS2027</code></strong> -Password for root required to access localhost via Samba: <strong class="userinput"><code>['secret']</code></strong> -</pre><p> -<a class="indexterm" name="id407755"></a> -To share <span class="emphasis"><em>all</em></span> printers and drivers, use the -<code class="option">-a</code> parameter instead of a printer name. Since -<code class="literal">cupsaddsmb</code> <span class="quote">“<span class="quote">exports</span>”</span> the printer drivers to Samba, it should be -obvious that it only works for queues with a CUPS driver associated. -</p></div><div class="sect2" title="Run cupsaddsmb with Verbose Output"><div class="titlepage"><div><div><h3 class="title"><a name="id407782"></a>Run cupsaddsmb with Verbose Output</h3></div></div></div><p> -<a class="indexterm" name="id407790"></a> -Probably you want to see what's going on. Use the -<code class="option">-v</code> parameter to get a more verbose output. The -output below was edited for better readability: all <span class="quote">“<span class="quote">\</span>”</span> at the end of -a line indicate that I inserted an artificial line break plus some -indentation here: -<a class="indexterm" name="id407805"></a> -<a class="indexterm" name="id407814"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -U root -v infotec_2105</code></strong> -Password for root required to access localhost via GANDALF: -Running command: smbclient //localhost/print\$ -N -U'root%secret' \ - -c 'mkdir W32X86; \ - put /var/spool/cups/tmp/3e98bf2d333b5 W32X86/infotec_2105.ppd; \ - put /usr/share/cups/drivers/cupsdrvr.dll W32X86/cupsdrvr.dll; \ - put /usr/share/cups/drivers/cupsui.dll W32X86/cupsui.dll; \ - put /usr/share/cups/drivers/cups.hlp W32X86/cups.hlp' -added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 -Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] -NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 -putting file /var/spool/cups/tmp/3e98bf2d333b5 as \W32X86/infotec_2105.ppd -putting file /usr/share/cups/drivers/cupsdrvr.dll as \W32X86/cupsdrvr.dll -putting file /usr/share/cups/drivers/cupsui.dll as \W32X86/cupsui.dll -putting file /usr/share/cups/drivers/cups.hlp as \W32X86/cups.hlp - -Running command: rpcclient localhost -N -U'root%secret' - -c 'adddriver "Windows NT x86" \ - "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \ - RAW:NULL"' -cmd = adddriver "Windows NT x86" \ - "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \ - RAW:NULL" -Printer Driver infotec_2105 successfully installed. - -Running command: smbclient //localhost/print\$ -N -U'root%secret' \ --c 'mkdir WIN40; \ - put /var/spool/cups/tmp/3e98bf2d333b5 WIN40/infotec_2105.PPD; \ - put /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM; \ - put /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV; \ - put /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP; \ - put /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD; \ - put /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL; \ - put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;' - added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 - Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] - NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 - putting file /var/spool/cups/tmp/3e98bf2d333b5 as \WIN40/infotec_2105.PPD - putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM - putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV - putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP - putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD - putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL - putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL - - Running command: rpcclient localhost -N -U'root%secret' \ - -c 'adddriver "Windows 4.0" \ - "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL:ADOBEPS4.HLP: \ - PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL, \ - ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' - cmd = adddriver "Windows 4.0" "infotec_2105:ADOBEPS4.DRV:\ - infotec_2105.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:ADOBEPS4.DRV,\ - infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL,ADFONTS.MFM,DEFPRTR2.PPD,\ - ICONLIB.DLL" - Printer Driver infotec_2105 successfully installed. - - Running command: rpcclient localhost -N -U'root%secret' \ - -c 'setdriver infotec_2105 infotec_2105' - cmd = setdriver infotec_2105 infotec_2105 - Successfully set infotec_2105 to driver infotec_2105. -</pre><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -You will see the root password for the Samba account printed on screen. -</p></div><p> -If you look closely, you'll discover your root password was transferred unencrypted over the wire, so beware! -Also, if you look further, you may discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in the output. -This will occur when the directories WIN40 and W32X86 already existed in the <em class="parameter"><code>[print$]</code></em> -driver download share (from a previous driver installation). These are harmless warning messages. -</p></div><div class="sect2" title="Understanding cupsaddsmb"><div class="titlepage"><div><div><h3 class="title"><a name="id407885"></a>Understanding cupsaddsmb</h3></div></div></div><p> -<a class="indexterm" name="id407892"></a> -What has happened? What did <code class="literal">cupsaddsmb</code> do? There are five stages of the procedure: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - <a class="indexterm" name="id407917"></a> - Call the CUPS server via IPP and request the driver files and the PPD file for the named printer.</p></li><li class="listitem"><p>Store the files temporarily in the local TEMPDIR (as defined in <code class="filename">cupsd.conf</code>).</p></li><li class="listitem"><p>Connect via smbclient to the Samba server's <em class="parameter"><code>[print$]</code></em> share and put the files into the - share's WIN40 (for Windows 9x/Me) and W32X86 (for Windows NT/200x/XP) subdirectories.</p></li><li class="listitem"><p> - <a class="indexterm" name="id407951"></a> - Connect via rpcclient to the Samba server and execute the <code class="literal">adddriver</code> command with the correct parameters. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id407971"></a> - Connect via rpcclient to the Samba server a second time and execute the <code class="literal">setdriver</code> command.</p></li></ol></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -You can run the <code class="literal">cupsaddsmb</code> utility with parameters to specify one remote host as Samba host -and a second remote host as CUPS host. Especially if you want to get a deeper understanding, it is a good idea -to try it and see more clearly what is going on (though in real life most people will have their CUPS and -Samba servers run on the same host): -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -H sambaserver -h cupsserver -v printer</code></strong> -</pre><p> -</p></div></div><div class="sect2" title="How to Recognize If cupsaddsmb Completed Successfully"><div class="titlepage"><div><div><h3 class="title"><a name="id408021"></a>How to Recognize If cupsaddsmb Completed Successfully</h3></div></div></div><p> -You <span class="emphasis"><em>must</em></span> always check if the utility completed -successfully in all fields. You need at minimum these three messages -among the output: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully - installed.</em></span> # (for the W32X86 == Windows NT/200x/XP - architecture).</p></li><li class="listitem"><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully - installed.</em></span> # (for the WIN40 == Windows 9x/Me - architecture).</p></li><li class="listitem"><p><span class="emphasis"><em>Successfully set [printerXPZ] to driver - [printerXYZ].</em></span></p></li></ol></div><p> -These messages are probably not easily recognized in the general -output. If you run <code class="literal">cupsaddsmb</code> with the <code class="option">-a</code> -parameter (which tries to prepare <span class="emphasis"><em>all</em></span> active CUPS -printer drivers for download), you might miss if individual printer -drivers had problems installing properly. A redirection of the -output will help you analyze the results in retrospective. -</p><p> -If you get: -</p><pre class="screen"> -SetPrinter call failed! -result was WERR_ACCESS_DENIED -</pre><p> -it means that you might have set <a class="link" href="smb.conf.5.html#USECLIENTDRIVER" target="_top">use client driver = yes</a> for this printer. -Setting it to <span class="quote">“<span class="quote">no</span>”</span> will solve the problem. Refer to the <code class="filename">smb.conf</code> man page for explanation of -the <em class="parameter"><code>use client driver</code></em>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -It is impossible to see any diagnostic output if you do not run <code class="literal">cupsaddsmb</code> in verbose mode. -Therefore, we strongly recommend against use of the default quiet mode. It will hide any problems from you that -might occur. -</p></div></div><div class="sect2" title="cupsaddsmb with a Samba PDC"><div class="titlepage"><div><div><h3 class="title"><a name="id408132"></a>cupsaddsmb with a Samba PDC</h3></div></div></div><p> -<a class="indexterm" name="id408140"></a> -<a class="indexterm" name="id408147"></a> -Can't get the standard <code class="literal">cupsaddsmb</code> command to run on a Samba PDC? Are you asked for the -password credential again and again, and the command just will not take off at all? Try one of these -variations: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -U MIDEARTH\\root -v printername</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -H SAURON -U MIDEARTH\\root -v printername</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>cupsaddsmb -H SAURON -U MIDEARTH\\root -h cups-server -v printername</code></strong> -</pre><p> -(Note the two backslashes: the first one is required to <span class="quote">“<span class="quote">escape</span>”</span> the second one). -</p></div><div class="sect2" title="cupsaddsmb Flowchart"><div class="titlepage"><div><div><h3 class="title"><a name="id408209"></a>cupsaddsmb Flowchart</h3></div></div></div><p> -<a class="indexterm" name="id408217"></a> -<a class="indexterm" name="id408224"></a> -<a class="link" href="CUPS-printing.html#small14" title="Figure 22.16. cupsaddsmb Flowchart.">The cupsaddsmb Flowchart</a> shows a chart about the procedures, command flows, and -data flows of the <code class="literal">cupaddsmb</code> command. Note again: cupsaddsmb is -not intended to, and does not work with, raw print queues! -</p><div class="figure"><a name="small14"></a><p class="title"><b>Figure 22.16. cupsaddsmb Flowchart.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/14small.png" alt="cupsaddsmb Flowchart."></div></div></div><br class="figure-break"></div><div class="sect2" title="Installing the PostScript Driver on a Client"><div class="titlepage"><div><div><h3 class="title"><a name="id408287"></a>Installing the PostScript Driver on a Client</h3></div></div></div><p> -<a class="indexterm" name="id408295"></a> -<a class="indexterm" name="id408302"></a> -After <code class="literal">cupsaddsmb</code> is completed, your driver is prepared for the clients to use. Here are the -steps you must perform to download and install it via Point'n'Print. From a Windows client, browse to the -CUPS/Samba server: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id408323"></a> - Open the <span class="guilabel">Printers</span> share of Samba in Network Neighborhood.</p></li><li class="listitem"><p>Right-click on the printer in question.</p></li><li class="listitem"><p>From the opening context menu select - <span class="guimenuitem">Install...</span> or - <span class="guimenuitem">Connect...</span> (depending on the Windows version you use).</p></li></ul></div><p> -After a few seconds, there should be a new printer in your client's <span class="emphasis"><em>local</em></span> -<span class="guilabel">Printers</span> folder. On Windows XP it will follow a naming convention of -<span class="emphasis"><em>PrinterName on SambaServer</em></span>. (In my current case it is infotec_2105 on kde-bitshop). If -you want to test it and send your first job from an application like Microsoft Word, -the new printer appears in a -<code class="filename">\\SambaServer\PrinterName</code> entry in the drop-down list of available printers. -</p><p> -<a class="indexterm" name="id408387"></a> -<a class="indexterm" name="id408394"></a> -<a class="indexterm" name="id408401"></a> -<code class="literal">cupsaddsmb</code> will only reliably work with CUPS version 1.1.15 or higher and with Samba -version 2.2.4, or later. If it does not work, or if the automatic printer driver download to the clients does -not succeed, you can still manually install the CUPS printer PPD on top of the Adobe PostScript driver on -clients. Then point the client's printer queue to the Samba printer share for a UNC type of connection: -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>net use lpt1: \\sambaserver\printershare /user:ntadmin</code></strong> -</pre><p> -should you desire to use the CUPS networked PostScript RIP functions. (Note that user <span class="quote">“<span class="quote">ntadmin</span>”</span> -needs to be a valid Samba user with the required privileges to access the printershare.) This sets up the -printer connection in the traditional LanMan way (not using MS-RPC). -</p></div><div class="sect2" title="Avoiding Critical PostScript Driver Settings on the Client"><div class="titlepage"><div><div><h3 class="title"><a name="cups-avoidps1"></a>Avoiding Critical PostScript Driver Settings on the Client</h3></div></div></div><p> -Printing works, but there are still problems. Most jobs print well, some do not print at all. Some jobs have -problems with fonts, which do not look very good. Some jobs print fast and some are dead-slow. Many of these -problems can be greatly reduced or even completely eliminated if you follow a few guidelines. Remember, if -your print device is not PostScript-enabled, you are treating your Ghostscript installation on your CUPS host -with the output your client driver settings produce. Treat it well: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Avoid the PostScript Output Option: Optimize for Speed setting. Use the Optimize for Portability instead - (Adobe PostScript driver).</p></li><li class="listitem"><p> - Don't use the Page Independence: NO setting. Instead, use Page Independence: YES (CUPS PostScript Driver). - </p></li><li class="listitem"><p> - Recommended is the True Type Font Downloading Option: Native True Type over Automatic and Outline; - you should by all means avoid Bitmap (Adobe PostScript Driver).</p></li><li class="listitem"><p> - Choose True Type Font: Download as Softfont into Printer over the default Replace by Device - Font (for exotic fonts, you may need to change it back to get a printout at all; Adobe).</p></li><li class="listitem"><p> - Sometimes you can choose PostScript Language Level: in case of problems try 2 - instead of 3 (the latest ESP Ghostscript package handles Level 3 PostScript very well; Adobe). - </p></li><li class="listitem"><p> - Say Yes to PostScript Error Handler (Adobe).</p></li></ul></div></div></div><div class="sect1" title="Installing PostScript Driver Files Manually Using rpcclient"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id408496"></a>Installing PostScript Driver Files Manually Using rpcclient</h2></div></div></div><p> -Of course, you can run all the commands that are embedded into the -cupsaddsmb convenience utility yourself, one by one, and upload -and prepare the driver files for future client downloads. -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Prepare Samba (a CUPS print queue with the name of the - printer should be there. We are providing the driver now).</p></li><li class="listitem"><p>Copy all files to <em class="parameter"><code>[print$]</code></em>.</p></li><li class="listitem"><p> - <a class="indexterm" name="id408532"></a> - Run <code class="literal">rpcclient adddriver</code> - (for each client architecture you want to support).</p></li><li class="listitem"><p> - <a class="indexterm" name="id408552"></a> - Run <code class="literal">rpcclient setdriver.</code></p></li></ol></div><p> -<a class="indexterm" name="id408571"></a> -<a class="indexterm" name="id408580"></a> -<a class="indexterm" name="id408589"></a> -<a class="indexterm" name="id408598"></a> -<a class="indexterm" name="id408607"></a> -We are going to do this now. First, read the man page on <em class="parameter"><code>rpcclient</code></em> to get a first idea. -Look at all the printing-related subcommands: <code class="literal">enumprinters</code>, <code class="literal">enumdrivers</code>, -<code class="literal">enumports</code>, <code class="literal">adddriver</code>, and <code class="literal">setdriver</code> are among the -most interesting ones. <em class="parameter"><code>rpcclient</code></em> implements an important part of the MS-RPC protocol. -You can use it to query (and command) a Windows NT (or 200x/XP) PC, too. MS-RPC is used by Windows clients, -among other things, to benefit from the Point'n'Print features. Samba can now mimic this as well. -</p><div class="sect2" title="A Check of the rpcclient man Page"><div class="titlepage"><div><div><h3 class="title"><a name="id408662"></a>A Check of the rpcclient man Page</h3></div></div></div><p> -First let's check the <em class="parameter"><code>rpcclient</code></em> man page. Here are two relevant passages: -</p><p> -<a class="indexterm" name="id408680"></a> -<a class="indexterm" name="id408686"></a> -<a class="indexterm" name="id408693"></a> -<code class="literal">adddriver <arch> <config></code> Execute an <code class="literal">AddPrinterDriver()</code> RPC -to install the printer driver information on the server. The driver files should already exist in the -directory returned by <code class="literal">getdriverdir</code>. Possible values for <em class="parameter"><code>arch</code></em> are the -same as those for the <code class="literal">getdriverdir</code> command. The <em class="parameter"><code>config</code></em> parameter is -defined as follows: -</p><pre class="screen"> -Long Printer Name:\ -Driver File Name:\ -Data File Name:\ -Config File Name:\ -Help File Name:\ -Language Monitor Name:\ -Default Data Type:\ -Comma Separated list of Files -</pre><p> -Any empty fields should be entered as the string <span class="quote">“<span class="quote">NULL</span>”</span>. -</p><p> -Samba does not need to support the concept of print monitors, since these only apply to local printers whose -drivers can use a bidirectional link for communication. This field should be <span class="quote">“<span class="quote">NULL</span>”</span>. On a remote -NT print server, the print monitor for a driver must already be installed before adding the driver or else the -RPC will fail. -</p><p> -<a class="indexterm" name="id408764"></a> -<a class="indexterm" name="id408770"></a> -<code class="literal">setdriver <printername> <drivername></code> Execute a <code class="literal">SetPrinter()</code> -command to update the printer driver associated with an installed printer. The printer driver must already be -correctly installed on the print server. -</p><p> -<a class="indexterm" name="id408794"></a> -<a class="indexterm" name="id408801"></a> -See also the <code class="literal">enumprinters</code> and <code class="literal">enumdrivers</code> commands to -obtain a list of installed printers and drivers. -</p></div><div class="sect2" title="Understanding the rpcclient man Page"><div class="titlepage"><div><div><h3 class="title"><a name="id408822"></a>Understanding the rpcclient man Page</h3></div></div></div><p> -<a class="indexterm" name="id408830"></a> -The <span class="emphasis"><em>exact</em></span> format isn't made too clear by the man page, since you have to deal with some -parameters containing spaces. Here is a better description for it. We have line-broken the command and -indicated the breaks with <span class="quote">“<span class="quote">\</span>”</span>. Usually you would type the command in one line without the line -breaks: -</p><pre class="screen"> -adddriver "Architecture" \ - "LongPrinterName:DriverFile:DataFile:ConfigFile:HelpFile:\ - LanguageMonitorFile:DataType:ListOfFiles,Comma-separated" -</pre><p> -What the man pages denote as a simple <em class="parameter"><code><config></code></em> keyword in reality consists of -eight colon-separated fields. The last field may take multiple (in some very insane cases, even 20 different -additional) files. This might sound confusing at first. What the man pages call the -<span class="quote">“<span class="quote">LongPrinterName</span>”</span> in reality should be called the <span class="quote">“<span class="quote">Driver Name</span>”</span>. You can name it -anything you want, as long as you use this name later in the <code class="literal">rpcclient ... setdriver</code> -command. For practical reasons, many name the driver the same as the printer. -</p><p> -It isn't simple at all. I hear you asking: <span class="quote">“<span class="quote">How do I know which files are Driver File</span>”</span>, -<span class="quote">“<span class="quote">Data File</span>”</span>, <span class="quote">“<span class="quote">Config File</span>”</span>, <span class="quote">“<span class="quote">Help File</span>”</span> and <span class="quote">“<span class="quote">Language Monitor -File in each case?</span>”</span> For an answer, you may want to have a look at how a Windows NT box with a shared -printer presents the files to us. Remember that this whole procedure has to be developed by the Samba Team by -listening to the traffic caused by Windows computers on the wire. We may as well turn to a Windows box now and -access it from a UNIX workstation. We will query it with <code class="literal">rpcclient</code> to see what it tells us -and try to understand the man page more clearly. -</p></div><div class="sect2" title="Producing an Example by Querying a Windows Box"><div class="titlepage"><div><div><h3 class="title"><a name="id408914"></a>Producing an Example by Querying a Windows Box</h3></div></div></div><p> -<a class="indexterm" name="id408922"></a> -<a class="indexterm" name="id408932"></a> -We could run <code class="literal">rpcclient</code> with a <code class="literal">getdriver</code> or a -<code class="literal">getprinter</code> subcommand (in level 3 verbosity) against it. Just sit down at a UNIX or Linux -workstation with the Samba utilities installed, then type the following command: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'user%secret' NT-SERVER -c 'getdriver printername 3'</code></strong> -</pre><p> -From the result it should become clear which is which. Here is an example from my installation: -<a class="indexterm" name="id408980"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'Danka%xxxx' W200xSERVER \ - -c'getdriver "DANKA InfoStream Virtual Printer" 3'</code></strong> - cmd = getdriver "DANKA InfoStream Virtual Printer" 3 - - [Windows NT x86] - Printer Driver Info 3: - Version: [2] - Driver Name: [DANKA InfoStream] - Architecture: [Windows NT x86] - Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.DLL] - Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\INFOSTRM.PPD] - Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRPTUI.DLL] - Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.HLP] - - Dependentfiles: [] - Dependentfiles: [] - Dependentfiles: [] - Dependentfiles: [] - Dependentfiles: [] - Dependentfiles: [] - Dependentfiles: [] - - Monitorname: [] - Defaultdatatype: [] -</pre><p> -Some printer drivers list additional files under the label <em class="parameter"><code>Dependentfiles</code></em>, and these -would go into the last field <em class="parameter"><code>ListOfFiles,Comma-separated</code></em>. For the CUPS PostScript -drivers, we do not need any (nor would we for the Adobe PostScript driver); therefore, the field will get a -<span class="quote">“<span class="quote">NULL</span>”</span> entry. -</p></div><div class="sect2" title="Requirements for adddriver and setdriver to Succeed"><div class="titlepage"><div><div><h3 class="title"><a name="id409034"></a>Requirements for adddriver and setdriver to Succeed</h3></div></div></div><p> -<a class="indexterm" name="id409042"></a> -<a class="indexterm" name="id409051"></a> -<a class="indexterm" name="id409058"></a> -From the man page (and from the quoted output of <code class="literal">cupsaddsmb</code> above) it becomes clear that -you need to have certain conditions in order to make the manual uploading and initializing of the driver files -succeed. The two <code class="literal">rpcclient</code> subcommands (<code class="literal">adddriver</code> and -<code class="literal">setdriver</code>) need to encounter the following preconditions to complete successfully: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>You are connected as <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> or root (this is - <span class="emphasis"><em>not</em></span> the <span class="quote">“<span class="quote">Printer Operators</span>”</span> group in NT, but the <span class="emphasis"><em>printer - admin</em></span> group as defined in the <em class="parameter"><code>[global]</code></em> section of <code class="filename">smb.conf</code>). - </p></li><li class="listitem"><p>Copy all required driver files to <code class="filename">\\SAMBA\print$\w32x86</code> and - <code class="filename">\\SAMBA\print$\win40</code> as appropriate. They will end up in the <span class="quote">“<span class="quote">0</span>”</span> respective - <span class="quote">“<span class="quote">2</span>”</span> subdirectories later. For now, <span class="emphasis"><em>do not</em></span> put them there; they'll be - automatically used by the <code class="literal">adddriver</code> subcommand. (If you use <code class="literal">smbclient</code> to - put the driver files into the share, note that you need to escape the <span class="quote">“<span class="quote">$</span>”</span>: <code class="literal">smbclient - //sambaserver/print\$ -U root.</code>)</p></li><li class="listitem"><p>The user you're connecting as must be able to write to - the <em class="parameter"><code>[print$]</code></em> share and create - subdirectories.</p></li><li class="listitem"><p>The printer you are going to set up for the Windows - clients needs to be installed in CUPS already.</p></li><li class="listitem"><p> - <a class="indexterm" name="id409202"></a> - <a class="indexterm" name="id409211"></a> - The CUPS printer must be known to Samba; otherwise the <code class="literal">setdriver</code> subcommand fails with an - NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by Samba, you may use the - <code class="literal">enumprinters</code> subcommand to <code class="literal">rpcclient</code>. A long-standing bug prevented a - proper update of the printer list until every smbd process had received a SIGHUP or was restarted. Remember - this in case you've created the CUPS printer just recently and encounter problems: try restarting Samba. - </p></li></ul></div></div><div class="sect2" title="Manual Driver Installation in 15 Steps"><div class="titlepage"><div><div><h3 class="title"><a name="id409245"></a>Manual Driver Installation in 15 Steps</h3></div></div></div><p> -We are going to install a printer driver now by manually executing all -required commands. Because this may seem a rather complicated process at -first, we go through the procedure step by step, explaining every -single action item as it comes up. -</p><div class="procedure" title="Procedure 22.2. Manual Driver Installation"><a name="id409256"></a><p class="title"><b>Procedure 22.2. Manual Driver Installation</b></p><ol class="procedure" type="1"><li class="step" title="Install the printer on CUPS."><p class="title"><b>Install the printer on CUPS.</b></p><pre class="screen"> - <code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E \ - -P canonIR85.ppd</code></strong> - </pre><p> - This installs a printer with the name <em class="parameter"><code>mysmbtstprn</code></em> - to the CUPS system. The printer is accessed via a socket - (a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root - for this step. - </p></li><li class="step" title="(Optional.) Check if the printer is recognized by Samba."><p class="title"><b>(Optional.) Check if the printer is recognized by Samba.</b></p><p> - <a class="indexterm" name="id409310"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'enumprinters' localhost \ - | grep -C2 mysmbtstprn</code></strong> -flags:[0x800000] -name:[\\kde-bitshop\mysmbtstprn] -description:[\\kde-bitshop\mysmbtstprn,,mysmbtstprn] -comment:[mysmbtstprn] -</pre><p> - </p><p> - This should show the printer in the list. If not, stop and restart the Samba daemon (smbd) or send a HUP signal: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>kill -HUP `pidof smbd`</code></strong> -</pre><p> - Check again. Troubleshoot and repeat until successful. Note the <span class="quote">“<span class="quote">empty</span>”</span> field between the two - commas in the <span class="quote">“<span class="quote">description</span>”</span> line. The driver name would appear here if there was one already. You - need to know root's Samba password (as set by the <code class="literal">smbpasswd</code> command) for this step and most - of the following steps. Alternatively, you can authenticate as one of the users from the <span class="quote">“<span class="quote">write - list</span>”</span> as defined in <code class="filename">smb.conf</code> for <em class="parameter"><code>[print$]</code></em>. - </p></li><li class="step" title="(Optional.) Check if Samba knows a driver for the printer."><p class="title"><b>(Optional.) Check if Samba knows a driver for the printer.</b></p><p> - <a class="indexterm" name="id409401"></a> - <a class="indexterm" name="id409410"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2'\ - localhost | grep driver </code></strong> - -drivername:[] - -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' \ - localhost | grep -C4 driv</code></strong> - -servername:[\\kde-bitshop] -printername:[\\kde-bitshop\mysmbtstprn] -sharename:[mysmbtstprn] -portname:[Samba Printer Port] -drivername:[] -comment:[mysmbtstprn] -location:[] -sepfile:[] -printprocessor:[winprint] - -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</code></strong> - result was WERR_UNKNOWN_PRINTER_DRIVER -</pre><p> -None of the three commands shown above should show a driver. -This step was done for the purpose of demonstrating this condition. An -attempt to connect to the printer at this stage will prompt a -message along the lines of, <span class="quote">“<span class="quote">The server does not have the required printer -driver installed.</span>”</span> -</p></li><li class="step" title="Put all required driver files into Samba's [print$]."><p class="title"><b>Put all required driver files into Samba's -[print$].</b></p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbclient //localhost/print\$ -U 'root%xxxx' \ - -c 'cd W32X86; \ - put /etc/cups/ppd/mysmbtstprn.ppd mysmbtstprn.PPD; \ - put /usr/share/cups/drivers/cupsui.dll cupsui.dll; \ - put /usr/share/cups/drivers/cupsdrvr.dll cupsdrvr.dll; \ - put /usr/share/cups/drivers/cups.hlp cups.hlp'</code></strong> -</pre><p> -(This command should be entered in one long single line. Line breaks and the line ends indicated by -<span class="quote">“<span class="quote">\</span>”</span> have been inserted for readability reasons.) This step is <span class="emphasis"><em>required</em></span> for -the next one to succeed. It makes the driver files physically present in the <em class="parameter"><code>[print$]</code></em> -share. However, clients would still not be able to install them, because Samba does not yet treat them as -driver files. A client asking for the driver would still be presented with a <span class="quote">“<span class="quote">not installed here</span>”</span> -message. -</p></li><li class="step" title="Verify where the driver files are now."><p class="title"><b>Verify where the driver files are now.</b></p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ls -l /etc/samba/drivers/W32X86/</code></strong> -total 669 -drwxr-sr-x 2 root ntadmin 532 May 25 23:08 2 -drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3 --rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp --rwxr--r-- 1 root ntadmin 278380 May 25 23:21 cupsdrvr.dll --rwxr--r-- 1 root ntadmin 215848 May 25 23:21 cupsui.dll --rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD -</pre><p> -The driver files now are in the W32X86 architecture <span class="quote">“<span class="quote">root</span>”</span> of -<em class="parameter"><code>[print$]</code></em>. -</p></li><li class="step" title="Tell Samba that these are driver files (adddriver)."><p class="title"><b>Tell Samba that these are driver files (<code class="literal">adddriver</code>).</b></p><p> -<a class="indexterm" name="id409581"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \ - "mydrivername:cupsdrvr.dll:mysmbtstprn.PPD: \ - cupsui.dll:cups.hlp:NULL:RAW:NULL"' \ - localhost</code></strong> -Printer Driver mydrivername successfully installed. -</pre><p> -You cannot repeat this step if it fails. It could fail even as a result of a simple typo. It will most likely -have moved a part of the driver files into the <span class="quote">“<span class="quote">2</span>”</span> subdirectory. If this step fails, you need to -go back to the fourth step and repeat it before you can try this one again. In this step, you need to choose a -name for your driver. It is normally a good idea to use the same name as is used for the printer name; -however, in big installations you may use this driver for a number of printers that obviously have different -names, so the name of the driver is not fixed. -</p></li><li class="step" title="Verify where the driver files are now."><p class="title"><b>Verify where the driver files are now.</b></p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ls -l /etc/samba/drivers/W32X86/</code></strong> -total 1 -drwxr-sr-x 2 root ntadmin 532 May 25 23:22 2 -drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3 - -<code class="prompt">root# </code><strong class="userinput"><code>ls -l /etc/samba/drivers/W32X86/2</code></strong> -total 5039 -[....] --rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp --rwxr--r-- 1 root ntadmin 278380 May 13 13:53 cupsdrvr.dll --rwxr--r-- 1 root ntadmin 215848 May 13 13:53 cupsui.dll --rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD -</pre><p> -Notice how step 6 also moved the driver files to the appropriate -subdirectory. Compare this with the situation after step 5. -</p></li><li class="step" title="(Optional.) Verify if Samba now recognizes the driver."><p class="title"><b>(Optional.) Verify if Samba now recognizes the driver.</b></p><p> -<a class="indexterm" name="id409675"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'enumdrivers 3' \ - localhost | grep -B2 -A5 mydrivername</code></strong> -Printer Driver Info 3: -Version: [2] -Driver Name: [mydrivername] -Architecture: [Windows NT x86] -Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll] -Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD] -Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll] -Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp] -</pre><p> -Remember, this command greps for the name you chose for the -driver in step 6. This command must succeed before you can proceed. -</p></li><li class="step" title="Tell Samba which printer should use these driver files (setdriver)."><p class="title"><b>Tell Samba which printer should use these driver files (<code class="literal">setdriver</code>).</b></p><p> -<a class="indexterm" name="id409725"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' \ - localhost</code></strong> -Successfully set mysmbtstprn to driver mydrivername -</pre><p> -Since you can bind any printer name (print queue) to any driver, this is a convenient way to set up many -queues that use the same driver. You do not need to repeat all the previous steps for the setdriver command to -succeed. The only preconditions are that <code class="literal">enumdrivers</code> must find the driver and -<code class="literal">enumprinters</code> must find the printer. -</p></li><li class="step" title="(Optional) Verify if Samba has recognized this association."><p class="title"><b>(Optional) Verify if Samba has recognized this association.</b></p><p> -<a class="indexterm" name="id409780"></a> -<a class="indexterm" name="id409790"></a> -<a class="indexterm" name="id409799"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \ - | grep driver</code></strong> -drivername:[mydrivername] - -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \ - | grep -C4 driv</code></strong> -servername:[\\kde-bitshop] -printername:[\\kde-bitshop\mysmbtstprn] -sharename:[mysmbtstprn] -portname:[Done] -drivername:[mydrivername] -comment:[mysmbtstprn] -location:[] -sepfile:[] -printprocessor:[winprint] - -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</code></strong> -[Windows NT x86] -Printer Driver Info 3: - Version: [2] - Driver Name: [mydrivername] - Architecture: [Windows NT x86] - Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll] - Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD] - Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll] - Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp] - Monitorname: [] - Defaultdatatype: [RAW] - Monitorname: [] - Defaultdatatype: [RAW] - -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'enumprinters' localhost \ - | grep mysmbtstprn</code></strong> - name:[\\kde-bitshop\mysmbtstprn] - description:[\\kde-bitshop\mysmbtstprn,mydrivername,mysmbtstprn] - comment:[mysmbtstprn] - -</pre><p> -<a class="indexterm" name="id409867"></a> -Compare these results with the ones from steps 2 and 3. Every one of these commands show the driver is installed. Even -the <code class="literal">enumprinters</code> command now lists the driver -on the <span class="quote">“<span class="quote">description</span>”</span> line. -</p></li><li class="step" title="(Optional.) Tickle the driver into a correct device mode."><p class="title"><b>(Optional.) Tickle the driver into a correct -device mode.</b></p><p> -<a class="indexterm" name="id409899"></a> -You certainly know how to install the driver on the client. In case -you are not particularly familiar with Windows, here is a short -recipe: Browse the Network Neighborhood, go to the Samba server, and look -for the shares. You should see all shared Samba printers. -Double-click on the one in question. The driver should get -installed and the network connection set up. Another way is to -open the <span class="guilabel">Printers (and Faxes)</span> folder, right-click on the printer in -question, and select <span class="guilabel">Connect</span> or <span class="guilabel">Install</span>. As a result, a new printer -should appear in your client's local <span class="guilabel">Printers (and Faxes)</span> -folder, named something like <span class="guilabel">printersharename on Sambahostname</span>. -</p><p> -It is important that you execute this step as a Samba printer admin -(as defined in <code class="filename">smb.conf</code>). Here is another method -to do this on Windows XP. It uses a command line, which you may type -into the <span class="quote">“<span class="quote">DOS box</span>”</span> (type root's smbpassword when prompted): -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry \ - /in /n \\sambaserver\mysmbtstprn"</code></strong> -</pre><p> -Change any printer setting once (like changing <span class="emphasis"><em><span class="guilabel">portrait</span> to -<span class="guilabel">landscape</span></em></span>), click on <span class="guibutton">Apply</span>, and change the setting back. -</p></li><li class="step" title="Install the printer on a client (Point'n'Print)."><p class="title"><b>Install the printer on a client (Point'n'Print).</b></p><p> -<a class="indexterm" name="id410008"></a> -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /in /n "\\sambaserver\mysmbtstprn"</code></strong> -</pre><p> -If it does not work, it could be a permissions problem with the <em class="parameter"><code>[print$]</code></em> share. -</p></li><li class="step" title="(Optional) Print a test page."><p class="title"><b>(Optional) Print a test page.</b></p><a class="indexterm" name="id410048"></a><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /p /n "\\sambaserver\mysmbtstprn"</code></strong> -</pre><p> -Then hit [TAB] five times, [ENTER] twice, [TAB] once, and [ENTER] again, and march to the printer. -</p></li><li class="step" title="(Recommended.) Study the test page."><p class="title"><b>(Recommended.) Study the test page.</b></p><p> -Hmmm. Just kidding! By now you know everything about printer installations and you do not need to read a word. -Just put it in a frame and bolt it to the wall with the heading "MY FIRST RPCCLIENT-INSTALLED PRINTER" - why not just throw it away! -</p></li><li class="step" title="(Obligatory.) Enjoy. Jump. Celebrate your success."><p class="title"><b>(Obligatory.) Enjoy. Jump. Celebrate your success.</b></p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd</code></strong> -</pre></li></ol></div></div><div class="sect2" title="Troubleshooting Revisited"><div class="titlepage"><div><div><h3 class="title"><a name="id410123"></a>Troubleshooting Revisited</h3></div></div></div><p> -<a class="indexterm" name="id410131"></a> -The setdriver command will fail if in Samba's mind the queue is not -already there. A successful installation displays the promising message that the: -</p><pre class="screen"> -Printer Driver ABC successfully installed. -</pre><p> -following the <code class="literal">adddriver</code> parts of the procedure. But you may also see -a disappointing message like this one: -<code class="computeroutput"> -result was NT_STATUS_UNSUCCESSFUL -</code></p><p> -<a class="indexterm" name="id410160"></a> -<a class="indexterm" name="id410167"></a> -It is not good enough that you can see the queue in CUPS, using the <code class="literal">lpstat -p ir85wm</code> -command. A bug in most recent versions of Samba prevents the proper update of the queue list. The recognition -of newly installed CUPS printers fails unless you restart Samba or send a HUP to all smbd processes. To verify -if this is the reason why Samba does not execute the <code class="literal">setdriver</code> command successfully, check -if Samba <span class="quote">“<span class="quote">sees</span>”</span> the printer: -<a class="indexterm" name="id410192"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient transmeta -N -U'root%xxxx' -c 'enumprinters 0'|grep ir85wm</code></strong> - printername:[ir85wm] -</pre><p> -An alternate command could be this: -<a class="indexterm" name="id410221"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm' </code></strong> - cmd = getprinter ir85wm - flags:[0x800000] - name:[\\transmeta\ir85wm] - description:[\\transmeta\ir85wm,ir85wm,DPD] - comment:[CUPS PostScript-Treiber for Windows NT/200x/XP] -</pre><p> -By the way, you can use these commands, plus a few more, of course, to install drivers on remote Windows NT print servers too! -</p></div></div><div class="sect1" title="The Printing *.tdb Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id410254"></a>The Printing <code class="filename">*.tdb</code> Files</h2></div></div></div><p> -<a class="indexterm" name="id410268"></a> -<a class="indexterm" name="id410275"></a> -<a class="indexterm" name="id410284"></a> -<a class="indexterm" name="id410293"></a> -<a class="indexterm" name="id410302"></a> -<a class="indexterm" name="id410310"></a> -<a class="indexterm" name="id410319"></a> -<a class="indexterm" name="id410328"></a> -<a class="indexterm" name="id410337"></a> -<a class="indexterm" name="id410346"></a> -<a class="indexterm" name="id410355"></a> -<a class="indexterm" name="id410364"></a> -<a class="indexterm" name="id410373"></a> -Some mystery is associated with the series of files with a tdb suffix appearing in every Samba installation. -They are <code class="filename">connections.tdb</code>, <code class="filename">printing.tdb</code>, -<code class="filename">share_info.tdb</code>, <code class="filename">ntdrivers.tdb</code>, <code class="filename">unexpected.tdb</code>, -<code class="filename">brlock.tdb</code>, <code class="filename">locking.tdb</code>, <code class="filename">ntforms.tdb</code>, -<code class="filename">messages.tdb</code> , <code class="filename">ntprinters.tdb</code>, <code class="filename">sessionid.tdb</code>, -and <code class="filename">secrets.tdb</code>. What is their purpose? -</p><div class="sect2" title="Trivial Database Files"><div class="titlepage"><div><div><h3 class="title"><a name="id410454"></a>Trivial Database Files</h3></div></div></div><p> -<a class="indexterm" name="id410462"></a> -A Windows NT (print) server keeps track of all information needed to serve its duty toward its clients by -storing entries in the Windows registry. Client queries are answered by reading from the registry, -Administrator or user configuration settings that are saved by writing into the registry. Samba and UNIX -obviously do not have such a Registry. Samba instead keeps track of all client-related information in a series -of <code class="filename">*.tdb</code> files. (TDB stands for trivial data base). These are often located in -<code class="filename">/var/lib/samba/</code> or <code class="filename">/var/lock/samba/</code>. The printing-related files are -<code class="filename">ntprinters.tdb</code>, <code class="filename">printing.tdb</code>,<code class="filename">ntforms.tdb</code>, and -<code class="filename">ntdrivers.tdb</code>. -</p></div><div class="sect2" title="Binary Format"><div class="titlepage"><div><div><h3 class="title"><a name="id410516"></a>Binary Format</h3></div></div></div><p> -<code class="filename">*.tdb</code> files are not human readable. They are written in a binary format. <span class="quote">“<span class="quote">Why not -ASCII?</span>”</span>, you may ask. <span class="quote">“<span class="quote">After all, ASCII configuration files are a good and proven tradition on -UNIX.</span>”</span> The reason for this design decision by the Samba Team is mainly performance. Samba needs to be -fast; it runs a separate <code class="literal">smbd</code> process for each client connection, in some environments many -thousands of them. Some of these <code class="literal">smbds</code> might need to write-access the same -<code class="filename">*.tdb</code> file <span class="emphasis"><em>at the same time</em></span>. The file format of Samba's -<code class="filename">*.tdb</code> files allows for this provision. Many smbd processes may write to the same -<code class="filename">*.tdb</code> file at the same time. This wouldn't be possible with pure ASCII files. -</p></div><div class="sect2" title="Losing *.tdb Files"><div class="titlepage"><div><div><h3 class="title"><a name="id410577"></a>Losing <code class="filename">*.tdb</code> Files</h3></div></div></div><p> -It is very important that all <code class="filename">*.tdb</code> files remain consistent over all write and read -accesses. However, it may happen that these files <span class="emphasis"><em>do</em></span> get corrupted. (A <code class="literal">kill -9 -`pidof smbd'</code> while a write access is in progress could do the damage, as could a power interruption, -etc.). In cases of trouble, a deletion of the old printing-related <code class="filename">*.tdb</code> files may be the -only option. After that, you need to re-create all print-related setups unless you have made a backup of the -<code class="filename">*.tdb</code> files in time. -</p></div><div class="sect2" title="Using tdbbackup"><div class="titlepage"><div><div><h3 class="title"><a name="id410623"></a>Using <code class="literal">tdbbackup</code></h3></div></div></div><p> -<a class="indexterm" name="id410636"></a> -<a class="indexterm" name="id410647"></a> -Samba ships with a little utility that helps the root user of your system to backup your -<code class="filename">*.tdb</code> files. If you run it with no argument, it prints a usage message: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>tdbbackup</code></strong> - Usage: tdbbackup [options] <fname...> - - Version:3.0a - -h this help message - -s suffix set the backup suffix - -v verify mode (restore if corrupt) -</pre><p> -Here is how I backed up my <code class="filename">printing.tdb</code> file: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ls</code></strong> -. browse.dat locking.tdb ntdrivers.tdb printing.tdb -.. share_info.tdb connections.tdb messages.tdb ntforms.tdb -printing.tdbkp unexpected.tdb brlock.tdb gmon.out namelist.debug -ntprinters.tdb sessionid.tdb - -<code class="prompt">root# </code><strong class="userinput"><code>tdbbackup -s .bak printing.tdb</code></strong> - printing.tdb : 135 records - -<code class="prompt">root# </code><strong class="userinput"><code>ls -l printing.tdb*</code></strong> - -rw------- 1 root root 40960 May 2 03:44 printing.tdb - -rw------- 1 root root 40960 May 2 03:44 printing.tdb.bak - -</pre></div></div><div class="sect1" title="CUPS Print Drivers from Linuxprinting.org"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id410734"></a>CUPS Print Drivers from Linuxprinting.org</h2></div></div></div><p> -<a class="indexterm" name="id410742"></a> -CUPS ships with good support for HP LaserJet-type printers. You can install the generic driver as follows: -<a class="indexterm" name="id410750"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd</code></strong> -</pre><p> -The <code class="option">-m</code> switch will retrieve the <code class="filename">laserjet.ppd</code> from the standard -repository for not-yet-installed PPDs, which CUPS typically stores in -<code class="filename">/usr/share/cups/model</code>. Alternatively, you may use <code class="option">-P /path/to/your.ppd</code>. -</p><p> -The generic <code class="filename">laserjet.ppd,</code> however, does not support every special option for every -LaserJet-compatible model. It constitutes a sort of <span class="quote">“<span class="quote">least common denominator</span>”</span> of all the models. -If for some reason you must pay for the commercially available ESP Print Pro drivers, your first move should -be to consult the database on the <a class="ulink" href="http://www.linuxprinting.org/printer_list.cgi" target="_top">Linuxprinting</a> Web site. Linuxprinting.org has -excellent recommendations about which driver is best used for each printer. Its database is kept current by -the tireless work of Till Kamppeter from Mandrakesoft, who is also the principal author of the -<code class="literal">foomatic-rip</code> utility. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id410831"></a> -<a class="indexterm" name="id410838"></a> -<a class="indexterm" name="id410845"></a> -The former <code class="literal">cupsomatic</code> concept is now being replaced by the new successor, a much more -powerful <code class="literal">foomatic-rip</code>. <code class="literal">cupsomatic</code> is no longer maintained. Here is the -new URL to the <a class="ulink" href="http://www.linuxprinting.org/driver_list.cgi" target="_top">Foomatic-3.0</a> -database. If you upgrade to <code class="literal">foomatic-rip</code>, remember to also upgrade to the new-style PPDs -for your Foomatic-driven printers. foomatic-rip will not work with PPDs generated for the old -<code class="literal">cupsomatic</code>. The new-style PPDs are 100% compliant with the Adobe PPD specification. They -are also intended to be used by Samba and the cupsaddsmb utility, to provide the driver files for the Windows -clients! -</p></div><div class="sect2" title="foomatic-rip and Foomatic Explained"><div class="titlepage"><div><div><h3 class="title"><a name="id410895"></a>foomatic-rip and Foomatic Explained</h3></div></div></div><p> -<a class="indexterm" name="id410903"></a> -<a class="indexterm" name="id410909"></a> -Nowadays, most Linux distributions rely on the utilities from the <a class="ulink" href="http://www.linuxprinting.org/" target="_top">Linuxprinting.org</a> to create their printing-related software -(which, by the way, works on all UNIXes and on Mac OS X and Darwin, too). The utilities from this sire have a -very end-user-friendly interface that allows for an easy update of drivers and PPDs for all supported models, -all spoolers, all operating systems, and all package formats (because there is none). Its history goes back a -few years. -</p><p> -Recently, Foomatic has achieved the astonishing milestone of <a class="ulink" href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">1,000 listed</a> printer models. -Linuxprinting.org keeps all the important facts about printer drivers, supported models, and which options are -available for the various driver/printer combinations in its <a class="ulink" href="http://www.linuxprinting.org/foomatic.html" target="_top">Foomatic</a> database. Currently there are <a class="ulink" href="http://www.linuxprinting.org/driver_list.cgi" target="_top">245 drivers</a> in the database. Many drivers support -various models, and many models may be driven by different drivers its your choice! -</p><div class="sect3" title="690 “Perfect” Printers"><div class="titlepage"><div><div><h4 class="title"><a name="id410956"></a>690 <span class="quote">“<span class="quote">Perfect</span>”</span> Printers</h4></div></div></div><p> -<a class="indexterm" name="id410967"></a> -At present, there are 690 devices dubbed as working perfectly: 181 are <span class="emphasis"><em>mostly</em></span> perfect, 96 -are <span class="emphasis"><em>partially</em></span> perfect, and 46 are paperweights. Keeping in mind that most of these are -non-PostScript models (PostScript printers are automatically supported by CUPS to perfection by using their -own manufacturer-provided Windows PPD), and that a multifunctional device never qualifies as working perfectly -if it does not also scan and copy and fax under GNU/Linux then this is a truly astonishing -achievement! Three years ago the number was not more than 500, and Linux or UNIX printing at the time wasn't -anywhere near the quality it is today. -</p></div><div class="sect3" title="How the Printing HOWTO Started It All"><div class="titlepage"><div><div><h4 class="title"><a name="id410991"></a>How the Printing HOWTO Started It All</h4></div></div></div><p> -A few years ago <a class="ulink" href="http://www2.picante.com/" target="_top">Grant Taylor</a> started it all. The -roots of today's Linuxprinting.org are in the first <a class="ulink" href="http://www.linuxprinting.org/foomatic2.9/howto/" target="_top">Linux Printing HOWTO</a> that he authored. As a -side-project to this document, which served many Linux users and admins to guide their first steps in this -complicated and delicate setup (to a scientist, printing is <span class="quote">“<span class="quote">applying a structured deposition of -distinct patterns of ink or toner particles on paper substrates</span>”</span>), he started to build in a little -Postgres database with information about the hardware and driver zoo that made up Linux printing of the time. -This database became the core component of today's Foomatic collection of tools and data. In the meantime, it -has moved to an XML representation of the data. -</p></div><div class="sect3" title="Foomatic's Strange Name"><div class="titlepage"><div><div><h4 class="title"><a name="id411022"></a>Foomatic's Strange Name</h4></div></div></div><p> -<a class="indexterm" name="id411030"></a> -<span class="quote">“<span class="quote">Why the funny name?</span>”</span> you ask. When it really took off, around spring 2000, CUPS was far less -popular than today, and most systems used LPD, LPRng, or even PDQ to print. CUPS shipped with a few generic -drivers (good for a few hundred different printer models). These didn't support many device-specific options. -CUPS also shipped with its own built-in rasterization filter (<em class="parameter"><code>pstoraster</code></em>, derived from -Ghostscript). On the other hand, CUPS provided brilliant support for <span class="emphasis"><em>controlling</em></span> all -printer options through standardized and well-defined PPD files. Plus, CUPS was designed to be easily -extensible. -</p><p> -Taylor already had in his database a respectable compilation of facts about many more printers and the -Ghostscript <span class="quote">“<span class="quote">drivers</span>”</span> they run with. His idea, to generate PPDs from the database information and -use them to make standard Ghostscript filters work within CUPS, proved to work very well. It also killed -several birds with one stone: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>It made all current and future Ghostscript filter - developments available for CUPS.</p></li><li class="listitem"><p>It made available a lot of additional printer models - to CUPS users (because often the traditional Ghostscript way of - printing was the only one available).</p></li><li class="listitem"><p>It gave all the advanced CUPS options (Web interface, - GUI driver configurations) to users wanting (or needing) to use - Ghostscript filters.</p></li></ul></div></div><div class="sect3" title="cupsomatic, pdqomatic, lpdomatic, directomatic"><div class="titlepage"><div><div><h4 class="title"><a name="id411086"></a>cupsomatic, pdqomatic, lpdomatic, directomatic</h4></div></div></div><p> -<a class="indexterm" name="id411094"></a> -<a class="indexterm" name="id411100"></a> -<a class="indexterm" name="id411107"></a> -CUPS worked through a quickly hacked-up filter script named <a class="ulink" href="http://www.linuxprinting.org/download.cgi?filename=cupsomatic&show=0" target="_top">cupsomatic</a>. cupsomatic -ran the printfile through Ghostscript, constructing automatically the rather complicated command line needed. -It just needed to be copied into the CUPS system to make it work. To configure the way cupsomatic controls the -Ghostscript rendering process, it needs a CUPS-PPD. This PPD is generated directly from the contents of the -database. For CUPS and the respective printer/filter combo, another Perl script named CUPS-O-Matic did the PPD -generation. After that was working, Taylor implemented within a few days a similar thing for two other -spoolers. Names chosen for the config-generator scripts were <a class="ulink" href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">PDQ-O-Matic</a> (for PDQ) -and <a class="ulink" href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">LPD-O-Matic</a> -(for you guessed it LPD); the configuration here didn't use PPDs but other -spooler-specific files. -</p><p> -From late summer of that year, <a class="ulink" href="http://www.linuxprinting.org/till/" target="_top">Till Kamppeter</a> started -to put work into the database. Kamppeter had been newly employed by <a class="ulink" href="http://www.mandrakesoft.com/" target="_top">Mandrakesoft</a> to convert its printing system over to CUPS, after -they had seen his <a class="ulink" href="http://www.fltk.org/" target="_top">FLTK</a>-based <a class="ulink" href="http://cups.sourceforge.net/xpp/" target="_top">XPP</a> (a GUI front-end to the CUPS lp-command). He added a huge -amount of new information and new printers. He also developed the support for other spoolers, like <a class="ulink" href="http://ppr.sourceforge.net/" target="_top">PPR</a> (via ppromatic), <a class="ulink" href="http://sourceforge.net/projects/lpr/" target="_top">GNUlpr</a>, and <a class="ulink" href="http://www.lprng.org/" target="_top">LPRng</a> (both via an extended lpdomatic) and spooler-less printing (<a class="ulink" href="http://www.linuxprinting.org/download.cgi?filename=directomatic&show=0" target="_top">directomatic</a>). -</p><p> -So, to answer your question, <span class="quote">“<span class="quote">Foomatic</span>”</span> is the general name for all the overlapping code and data -behind the <span class="quote">“<span class="quote">*omatic</span>”</span> scripts. Foomatic, up to versions 2.0.x, required (ugly) Perl data -structures attached to Linuxprinting.org PPDs for CUPS. It had a different <span class="quote">“<span class="quote">*omatic</span>”</span> script for -every spooler, as well as different printer configuration files. -</p></div><div class="sect3" title="The Grand Unification Achieved"><div class="titlepage"><div><div><h4 class="title"><a name="id411224"></a>The <span class="emphasis"><em>Grand Unification</em></span> Achieved</h4></div></div></div><p> -<a class="indexterm" name="id411235"></a> -This has all changed in Foomatic versions 2.9 (beta) and released as <span class="quote">“<span class="quote">stable</span>”</span> 3.0. It has now -achieved the convergence of all *omatic scripts and is called the <a class="ulink" href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">foomatic-rip</a>. -This single script is the unification of the previously different spooler-specific *omatic scripts. -foomatic-rip is used by all the different spoolers alike, and because it can read PPDs (both the original -PostScript printer PPDs and the Linuxprinting.org-generated ones), all of a sudden all supported spoolers can -have the power of PPDs at their disposal. Users only need to plug foomatic-rip into their system. For users -there is improved media type and source support paper sizes and trays are easier to configure. -</p><p> -<a class="indexterm" name="id411264"></a> -<a class="indexterm" name="id411270"></a> -<a class="indexterm" name="id411276"></a> -Also, the new generation of Linuxprinting.org PPDs no longer contains Perl data structures. If you are a -distro maintainer and have used the previous version of Foomatic, you may want to give the new one a spin, but -remember to generate a new-version set of PPDs via the new <a class="ulink" href="http://www.linuxprinting.org/download/foomatic/foomatic-db-engine-3.0.0beta1.tar.gz" target="_top">foomatic-db-engine!</a>. -Individual users just need to generate a single new PPD specific to their model by <a class="ulink" href="http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/II.Foomatic-User/II.tutorial-handout-foomatic-user.html" target="_top">following -the steps</a> outlined in the Foomatic tutorial or in this chapter. This new development is truly amazing. -</p><p> -<a class="indexterm" name="id411303"></a> -<a class="indexterm" name="id411310"></a> -<a class="indexterm" name="id411317"></a> -foomatic-rip is a very clever wrapper around the need to run Ghostscript with a different syntax, options, -device selections, and/or filters for each different printer or spooler. At the same time, it can read the PPD -associated with a print queue and modify the print job according to the user selections. Together with this -comes the 100% compliance of the new Foomatic PPDs with the Adobe spec. Some innovative features of the -Foomatic concept may surprise users. It will support custom paper sizes for many printers and will support -printing on media drawn from different paper trays within the same job (in both cases, even where there is no -support for this from Windows-based vendor printer drivers). -</p></div><div class="sect3" title="Driver Development Outside"><div class="titlepage"><div><div><h4 class="title"><a name="id411332"></a>Driver Development Outside</h4></div></div></div><p> -<a class="indexterm" name="id411340"></a> -Most driver development itself does not happen within Linuxprinting.org. Drivers are written by independent -maintainers. Linuxprinting.org just pools all the information and stores it in its database. In addition, it -also provides the Foomatic glue to integrate the many drivers into any modern (or legacy) printing system -known to the world. -</p><p> -Speaking of the different driver development groups, most of the work is currently done in three projects: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id411360"></a> - <a class="ulink" href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">Omni</a> - a free software project by IBM that tries to convert its printer - driver knowledge from good-ol' OS/2 times into a modern, modular, - universal driver architecture for Linux/UNIX (still beta). This - currently supports 437 models.</p></li><li class="listitem"><p> -<a class="indexterm" name="id411383"></a> - <a class="ulink" href="http://hpinkjet.sf.net/" target="_top">HPIJS</a> - a free software project by HP to provide the support for its own - range of models (very mature, printing in most cases is perfect and - provides true photo quality). This currently supports 369 - models.</p></li><li class="listitem"><p> -<a class="indexterm" name="id411404"></a> - <a class="ulink" href="http://gimp-print.sourceforge.net/" target="_top">Gutenprint</a> a free software - effort, started by Michael Sweet (also lead developer for CUPS), now - directed by Robert Krawitz, which has achieved an amazing level of - photo print quality (many Epson users swear that its quality is - better than the vendor drivers provided by Epson for the Microsoft - platforms). This currently supports 522 models.</p></li></ul></div></div><div class="sect3" title="Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)"><div class="titlepage"><div><div><h4 class="title"><a name="id411425"></a>Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</h4></div></div></div><p> -Linuxprinting.org today is the one-stop shop to download printer drivers. Look for printer information and -<a class="ulink" href="http://www.linuxprinting.org//kpfeifle/LinuxKongress2002/Tutorial/" target="_top">tutorials</a> or solve -printing problems in its popular <a class="ulink" href="http://www.linuxprinting.org/newsportal/" target="_top">forums</a>. This -forum is not just for GNU/Linux users, but admins of <a class="ulink" href="http://www.linuxprinting.org/macosx/" target="_top"> -commercial UNIX systems</a> are also going there, and the relatively new -<a class="ulink" href="http://www.linuxprinting.org/newsportal/thread.php3?name=linuxprinting.macosx.general" target="_top">Mac OS X -forum</a> has turned out to be one of the most frequented forums after only a few weeks. -</p><p> -<a class="indexterm" name="id411464"></a> -<a class="indexterm" name="id411470"></a> -<a class="indexterm" name="id411477"></a> -Linuxprinting.org and the Foomatic driver wrappers around Ghostscript are now a standard tool-chain for -printing on all the important distros. Most of them also have CUPS underneath. While in recent years most -printer data had been added by Kamppeter, many additional contributions came from engineers with SuSE, Red -Hat, Conectiva, Debian, and others. Vendor-neutrality is an important goal of the Foomatic project. Mandrake -and Conectiva have merged and are now called Mandriva. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Till Kamppeter from Mandrakesoft is doing an excellent job in his spare time to maintain Linuxprinting.org and -Foomatic. So if you use it often, please send him a note showing your appreciation. -</p></div></div><div class="sect3" title="Foomatic Database-Generated PPDs"><div class="titlepage"><div><div><h4 class="title"><a name="id411496"></a>Foomatic Database-Generated PPDs</h4></div></div></div><p> -<a class="indexterm" name="id411504"></a> -<a class="indexterm" name="id411511"></a> -<a class="indexterm" name="id411518"></a> -<a class="indexterm" name="id411525"></a> -<a class="indexterm" name="id411531"></a> -<a class="indexterm" name="id411538"></a> -<a class="indexterm" name="id411545"></a> -<a class="indexterm" name="id411552"></a> -<a class="indexterm" name="id411558"></a> -The Foomatic database is an amazing piece of ingenuity in itself. Not only does it keep the printer and driver -information, but it is organized in a way that it can generate PPD files on the fly from its internal -XML-based datasets. While these PPDs are modeled to the Adobe specification of PPDs, the -Linuxprinting.org/Foomatic-PPDs do not normally drive PostScript printers. They are used to describe all the -bells and whistles you could ring or blow on an Epson Stylus inkjet, or an HP Photosmart, or what-have-you. -The main trick is one little additional line, not envisaged by the PPD specification, starting with the -<em class="parameter"><code>*cupsFilter</code></em> keyword. It tells the CUPS daemon how to proceed with the PostScript print -file (old-style Foomatic-PPDs named the cupsomatic filter script, while the new-style PPDs are now call -foomatic-rip). This filter script calls Ghostscript on the host system (the recommended variant is ESP -Ghostscript) to do the rendering work. foomatic-rip knows which filter or internal device setting it should -ask from Ghostscript to convert the PostScript print job into a raster format ready for the target device. -This usage of PPDs to describe the options of non-PostScript printers was the invention of the CUPS -developers. The rest is easy. GUI tools (like KDE's marvelous <a class="ulink" href="http://printing.kde.org/overview/kprinter.phtml" target="_top">kprinter</a> or the GNOME <a class="ulink" href="http://gtklp.sourceforge.net/" target="_top">gtklp</a> xpp and the CUPS Web interface) read the PPD as well and use -this information to present the available settings to the user as an intuitive menu selection. -</p></div></div><div class="sect2" title="foomatic-rip and Foomatic PPD Download and Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id411599"></a>foomatic-rip and Foomatic PPD Download and Installation</h3></div></div></div><p> -Here are the steps to install a foomatic-rip-driven LaserJet 4 Plus-compatible -printer in CUPS (note that recent distributions of SuSE, UnitedLinux and -Mandrake may ship with a complete package of Foomatic-PPDs plus the -<code class="literal">foomatic-rip</code> utility. Going directly to -Linuxprinting.org ensures that you get the latest driver/PPD files). -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Open your browser at the Linuxprinting.org printer list <a class="ulink" href="http://www.linuxprinting.org/printer_list.cgi" target="_top">page.</a> - </p></li><li class="listitem"><p>Check the complete list of printers in the - <a class="ulink" href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">database.</a>. - </p></li><li class="listitem"><p>Select your model and click on the link. - </p></li><li class="listitem"><p>You'll arrive at a page listing all drivers working with this - model (for all printers, there will always be <span class="emphasis"><em>one</em></span> - recommended driver. Try this one first). - </p></li><li class="listitem"><p>In our case (HP LaserJet 4 Plus), we'll arrive at the default driver for the - <a class="ulink" href="http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus" target="_top">HP-LaserJet 4 Plus.</a> - </p></li><li class="listitem"><p>The recommended driver is ljet4.</p></li><li class="listitem"><p>Several links are provided here. You should visit them all if you - are not familiar with the Linuxprinting.org database. - </p></li><li class="listitem"><p>There is a link to the database page for the - <a class="ulink" href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">ljet4</a>. - On the driver's page, you'll find important and detailed information - about how to use that driver within the various available - spoolers.</p></li><li class="listitem"><p>Another link may lead you to the home page of the - author of the driver.</p></li><li class="listitem"><p>Important links are the ones that provide hints with - setup instructions for <a class="ulink" href="http://www.linuxprinting.org/cups-doc.html" target="_top">CUPS</a>; - <a class="ulink" href="http://www.linuxprinting.org/pdq-doc.html" target="_top">PDQ</a>; - <a class="ulink" href="http://www.linuxprinting.org/lpd-doc.html" target="_top">LPD, LPRng, and GNUlpr</a>); - as well as <a class="ulink" href="http://www.linuxprinting.org/ppr-doc.html" target="_top">PPR</a> - or <span class="quote">“<span class="quote">spoolerless</span>”</span> <a class="ulink" href="http://www.linuxprinting.org/direct-doc.html" target="_top">printing</a>. - </p></li><li class="listitem"><p>You can view the PPD in your browser through this link: - <a class="ulink" href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1</a> - </p></li><li class="listitem"><p>Most importantly, you can also generate and download - the <a class="ulink" href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0" target="_top">PPD</a>. - </p></li><li class="listitem"><p>The PPD contains all the information needed to use our - model and the driver; once installed, this works transparently - for the user. Later you'll only need to choose resolution, paper size, - and so on, from the Web-based menu, or from the print dialog GUI, or from - the command line.</p></li><li class="listitem"><p>If you ended up on the drivers - <a class="ulink" href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">page</a>, - you can choose to use the <span class="quote">“<span class="quote">PPD-O-Matic</span>”</span> online PPD generator - program.</p></li><li class="listitem"><p>Select the exact model and check either <span class="guilabel">Download</span> or - <span class="guilabel">Display PPD file</span> and click <span class="guilabel">Generate PPD file</span>.</p></li><li class="listitem"><p>If you save the PPD file from the browser view, please - do not use cut and paste (since it could possibly damage line endings - and tabs, which makes the PPD likely to fail its duty), but use <span class="guimenuitem">Save - as...</span> in your browser's menu. (It is best to use the <span class="guilabel">Download</span> option - directly from the Web page.)</p></li><li class="listitem"><p>Another interesting part on each driver page is - the <span class="guimenuitem">Show execution details</span> button. If you - select your printer model and click on that button, - a complete Ghostscript command line will be displayed, enumerating all options - available for that combination of driver and printer model. This is a great way to - <span class="quote">“<span class="quote">learn Ghostscript by doing</span>”</span>. It is also an excellent cheat sheet - for all experienced users who need to reconstruct a good command line - for that darned printing script, but can't remember the exact - syntax. </p></li><li class="listitem"><p>Sometime during your visit to Linuxprinting.org, save - the PPD to a suitable place on your hard disk, say - <code class="filename">/path/to/my-printer.ppd</code> (if you prefer to install - your printers with the help of the CUPS Web interface, save the PPD to - the <code class="filename">/usr/share/cups/model/</code> path and restart - cupsd).</p></li><li class="listitem"><p>Then install the printer with a suitable command line, - like this: - </p><pre class="screen"> - <code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \ - -P path/to/my-printer.ppd</code></strong> - </pre></li><li class="listitem"><p>For all the new-style <span class="quote">“<span class="quote">Foomatic-PPDs</span>”</span> - from Linuxprinting.org, you also need a special CUPS filter named - foomatic-rip. - </p></li><li class="listitem"><p>The foomatic-rip Perl script itself also makes some - interesting <a class="ulink" href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1" target="_top">reading</a> - because it is well documented by Kamppeter's in-line comments (even - non-Perl hackers will learn quite a bit about printing by reading - it).</p></li><li class="listitem"><p>Save foomatic-rip either directly in - <code class="filename">/usr/lib/cups/filter/foomatic-rip</code> or somewhere in - your $PATH (and remember to make it world-executable). Again, - do not save by copy and paste but use the appropriate link or the - <span class="guimenuitem">Save as...</span> menu item in your browser.</p></li><li class="listitem"><p>If you save foomatic-rip in your $PATH, create a symlink: - </p><pre class="screen"> - <code class="prompt">root# </code><strong class="userinput"><code>cd /usr/lib/cups/filter/ ; ln -s `which foomatic-rip'</code></strong> - </pre><p> - </p><p> - CUPS will discover this new available filter at startup after restarting - cupsd.</p></li></ul></div><p> -Once you print to a print queue set up with the Foomatic PPD, CUPS will insert the appropriate commands and -comments into the resulting PostScript job file. foomatic-rip is able to read and act upon these and uses some -specially encoded Foomatic comments embedded in the job file. These in turn are used to construct -(transparently for you, the user) the complicated Ghostscript command line telling the printer driver exactly -how the resulting raster data should look and which printer commands to embed into the data stream. You need: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A <span class="quote">“<span class="quote">foomatic+something</span>”</span> PPD but this is not enough - to print with CUPS (it is only <span class="emphasis"><em>one</em></span> important - component).</p></li><li class="listitem"><p>The <em class="parameter"><code>foomatic-rip</code></em> filter script (Perl) in - <code class="filename">/usr/lib/cups/filters/</code>.</p></li><li class="listitem"><p>Perl to make foomatic-rip run.</p></li><li class="listitem"><p>Ghostscript (because it is doing the main work, - controlled by the PPD/foomatic-rip combo) to produce the raster data - fit for your printer model's consumption.</p></li><li class="listitem"><p>Ghostscript <span class="emphasis"><em>must</em></span> (depending on - the driver/model) contain support for a certain device representing - the selected driver for your model (as shown by <code class="literal">gs -h</code>).</p></li><li class="listitem"><p>foomatic-rip needs a new version of PPDs (PPD versions - produced for cupsomatic do not work with foomatic-rip).</p></li></ul></div></div></div><div class="sect1" title="Page Accounting with CUPS"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id412022"></a>Page Accounting with CUPS</h2></div></div></div><p> -<a class="indexterm" name="id412030"></a> -Often there are questions regarding print quotas where Samba users (that is, Windows clients) should not be -able to print beyond a certain number of pages or data volume per day, week, or month. This feature is -dependent on the real print subsystem you're using. Samba's part is always to receive the job files from the -clients (filtered <span class="emphasis"><em>or</em></span> unfiltered) and hand them over to this printing subsystem. -</p><p> -Of course one could hack things with one's own scripts. But then there is CUPS. CUPS supports quotas that can -be based on the size of jobs or on the number of pages or both, and can span any time period you want. -</p><div class="sect2" title="Setting Up Quotas"><div class="titlepage"><div><div><h3 class="title"><a name="id412052"></a>Setting Up Quotas</h3></div></div></div><p> -<a class="indexterm" name="id412060"></a> -This is an example command of how root would set a print quota in CUPS, assuming an existing printer named -<span class="quote">“<span class="quote">quotaprinter</span>”</span>: -<a class="indexterm" name="id412073"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p quotaprinter -o job-quota-period=604800 \ - -o job-k-limit=1024 -o job-page-limit=100</code></strong> -</pre><p> -This would limit every single user to print no more than 100 pages or 1024 KB of -data (whichever comes first) within the last 604,800 seconds ( = 1 week). -</p></div><div class="sect2" title="Correct and Incorrect Accounting"><div class="titlepage"><div><div><h3 class="title"><a name="id412102"></a>Correct and Incorrect Accounting</h3></div></div></div><p> -For CUPS to count correctly, the printfile needs to pass the CUPS pstops filter; otherwise it uses a dummy -count of <span class="quote">“<span class="quote">one</span>”</span>. Some print files do not pass it (e.g., image files), but then those are mostly -one-page jobs anyway. This also means that proprietary drivers for the target printer running on the client -computers and CUPS/Samba, which then spool these files as <span class="quote">“<span class="quote">raw</span>”</span> (i.e., leaving them untouched, -not filtering them), will be counted as one-pagers too! -</p><p> -You need to send PostScript from the clients (i.e., run a PostScript driver there) to have the chance to get -accounting done. If the printer is a non-PostScript model, you need to let CUPS do the job to convert the file -to a print-ready format for the target printer. This is currently working for about a thousand different -printer models. Linuxprinting.org has a driver <a class="ulink" href="http://www.linuxprinting.org/printer_list.cgi" target="_top">list</a>. -</p></div><div class="sect2" title="Adobe and CUPS PostScript Drivers for Windows Clients"><div class="titlepage"><div><div><h3 class="title"><a name="id412135"></a>Adobe and CUPS PostScript Drivers for Windows Clients</h3></div></div></div><p> -<a class="indexterm" name="id412143"></a> -<a class="indexterm" name="id412150"></a> -<a class="indexterm" name="id412157"></a> -<a class="indexterm" name="id412164"></a> -<a class="indexterm" name="id412170"></a> -Before CUPS 1.1.16, your only option was to use the Adobe PostScript driver on the Windows clients. The output -of this driver was not always passed through the <code class="literal">pstops</code> filter on the CUPS/Samba side, and -therefore was not counted correctly (the reason is that it often, depending on the PPD being used, wrote a -PJL-header in front of the real PostScript, which caused CUPS to skip <code class="literal">pstops</code> and go -directly to the <code class="literal">pstoraster</code> stage). -</p><p> -From CUPS 1.1.16 and later releases, you can use the CUPS PostScript driver for Windows NT/200x/XP -clients (which is tagged in the download area of <code class="filename">http://www.cups.org/</code> as the -<code class="filename">cups-samba-1.1.16.tar.gz</code> package). It does <span class="emphasis"><em>not</em></span> work for Windows -9x/Me clients, but it guarantees: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> <a class="indexterm" name="id412225"></a> To not write a PJL-header.</p></li><li class="listitem"><p>To still read and support all PJL-options named in the - driver PPD with its own means.</p></li><li class="listitem"><p>That the file will pass through the <code class="literal">pstops</code> filter - on the CUPS/Samba server.</p></li><li class="listitem"><p>To page-count correctly the print file.</p></li></ul></div><p> -You can read more about the setup of this combination in the man page for <code class="literal">cupsaddsmb</code> (which -is only present with CUPS installed, and only current from CUPS 1.1.16). -</p></div><div class="sect2" title="The page_log File Syntax"><div class="titlepage"><div><div><h3 class="title"><a name="id412266"></a>The page_log File Syntax</h3></div></div></div><p> -<a class="indexterm" name="id412274"></a> -These are the items CUPS logs in the <code class="filename">page_log</code> for every page of a job: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Printer name</p></li><li class="listitem"><p>User name</p></li><li class="listitem"><p>Job ID</p></li><li class="listitem"><p>Time of printing</p></li><li class="listitem"><p>Page number</p></li><li class="listitem"><p>Number of copies</p></li><li class="listitem"><p>A billing information string (optional)</p></li><li class="listitem"><p>The host that sent the job (included since version 1.1.19)</p></li></ul></div><p> -Here is an extract of my CUPS server's <code class="filename">page_log</code> file to illustrate the -format and included items: -</p><pre class="screen"> -tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 1 3 #marketing 10.160.50.13 -tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 2 3 #marketing 10.160.50.13 -tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 3 3 #marketing 10.160.50.13 -tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 4 3 #marketing 10.160.50.13 -Dig9110 boss 402 [22/Apr/2003:10:33:22 +0100] 1 440 finance-dep 10.160.51.33 -</pre><p> -This was job ID <em class="parameter"><code>401</code></em>, printed on <em class="parameter"><code>tec_IS2027</code></em> -by user <em class="parameter"><code>kurt</code></em>, a 64-page job printed in three copies, billed to -<em class="parameter"><code>#marketing</code></em>, and sent from IP address <code class="constant">10.160.50.13.</code> - The next job had ID <em class="parameter"><code>402</code></em>, was sent by user <em class="parameter"><code>boss</code></em> -from IP address <code class="constant">10.160.51.33</code>, printed from one page 440 copies, and -is set to be billed to <em class="parameter"><code>finance-dep</code></em>. -</p></div><div class="sect2" title="Possible Shortcomings"><div class="titlepage"><div><div><h3 class="title"><a name="id412406"></a>Possible Shortcomings</h3></div></div></div><p> -What flaws or shortcomings are there with this quota system? -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>The ones named above (wrongly logged job in case of - printer hardware failure, and so on).</p></li><li class="listitem"><p>In reality, CUPS counts the job pages that are being - processed in <span class="emphasis"><em>software</em></span> (that is, going through the - RIP) rather than the physical sheets successfully leaving the - printing device. Thus, if there is a jam while printing the fifth sheet out - of 1,000 and the job is aborted by the printer, the page count will - still show the figure of 1,000 for that job.</p></li><li class="listitem"><p>All quotas are the same for all users (no flexibility - to give the boss a higher quota than the clerk) and no support for - groups.</p></li><li class="listitem"><p>No means to read out the current balance or the - <span class="quote">“<span class="quote">used-up</span>”</span> number of current quota.</p></li><li class="listitem"><p>A user having used up 99 sheets of a 100 quota will - still be able to send and print a 1,000 sheet job.</p></li><li class="listitem"><p>A user being denied a job because of a filled-up quota - does not get a meaningful error message from CUPS other than - <span class="quote">“<span class="quote">client-error-not-possible</span>”</span>.</p></li></ul></div></div><div class="sect2" title="Future Developments"><div class="titlepage"><div><div><h3 class="title"><a name="id412465"></a>Future Developments</h3></div></div></div><p> -This is the best system currently available, and there are huge -improvements under development for CUPS 1.2: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Page counting will go into the backends (these talk - directly to the printer and will increase the count in sync with the - actual printing process; thus, a jam at the fifth sheet will lead to a - stop in the counting).</p></li><li class="listitem"><p>Quotas will be handled more flexibly.</p></li><li class="listitem"><p>Probably there will be support for users to inquire - about their accounts in advance.</p></li><li class="listitem"><p>Probably there will be support for some other tools - around this topic.</p></li></ul></div></div><div class="sect2" title="Other Accounting Tools"><div class="titlepage"><div><div><h3 class="title"><a name="id412500"></a>Other Accounting Tools</h3></div></div></div><p> -Other accounting tools that can be used includes: PrintAnalyzer, pyKota, printbill, LogReport. -For more information regarding these tools you can try a Google search. -</p></div></div><div class="sect1" title="Additional Material"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id412512"></a>Additional Material</h2></div></div></div><p> -A printer queue with <span class="emphasis"><em>no</em></span> PPD associated to it is a -<span class="quote">“<span class="quote">raw</span>”</span> printer, and all files will go directly there as received by the -spooler. The exceptions are file types <em class="parameter"><code>application/octet-stream</code></em> -that need the pass-through feature enabled. <span class="quote">“<span class="quote">Raw</span>”</span> queues do not do any -filtering at all; they hand the file directly to the CUPS backend. -This backend is responsible for sending the data to the device -(as in the <span class="quote">“<span class="quote">device URI</span>”</span> notation: <code class="filename">lpd://, socket://, -smb://, ipp://, http://, parallel:/, serial:/, usb:/</code>, and so on). -</p><p> -cupsomatic/Foomatic are <span class="emphasis"><em>not</em></span> native CUPS drivers -and they do not ship with CUPS. They are a third-party add-on -developed at Linuxprinting.org. As such, they are a brilliant hack to -make all models (driven by Ghostscript drivers/filters in traditional -spoolers) also work via CUPS, with the same (good or bad!) quality as -in these other spoolers. <em class="parameter"><code>cupsomatic</code></em> is only a vehicle to execute a -Ghostscript command line at that stage in the CUPS filtering chain -where normally the native CUPS <em class="parameter"><code>pstoraster</code></em> filter would kick -in. <em class="parameter"><code>cupsomatic</code></em> bypasses <em class="parameter"><code>pstoraster</code></em>, kidnaps the print file from CUPS, -and redirects it to go through Ghostscript. CUPS accepts this -because the associated cupsomatic/foomatic-PPD specifies: - -</p><pre class="programlisting"> -*cupsFilter: "application/vnd.cups-postscript 0 cupsomatic" -</pre><p> - -This line persuades CUPS to hand the file to <em class="parameter"><code>cupsomatic</code></em> once it has -successfully converted it to the MIME type -<em class="parameter"><code>application/vnd.cups-postscript</code></em>. This conversion will not happen for -jobs arriving from Windows that are autotyped -<em class="parameter"><code>application/octet-stream</code></em>, with the according changes in -<code class="filename">/etc/cups/mime.types</code> in place. -</p><p> -CUPS is widely configurable and flexible, even regarding its filtering -mechanism. Another workaround in some situations would be to have in -<code class="filename">/etc/cups/mime.types</code> entries as follows: - -</p><pre class="programlisting"> -application/postscript application/vnd.cups-raw 0 - -application/vnd.cups-postscript application/vnd.cups-raw 0 - -</pre><p> - -This would prevent all PostScript files from being filtered (rather, -they will through the virtual <span class="emphasis"><em>nullfilter</em></span> -denoted with <span class="quote">“<span class="quote">-</span>”</span>). This could only be useful for PostScript printers. If you -want to print PostScript code on non-PostScript printers (provided they support ASCII -text printing), an entry as follows could be useful: - -</p><pre class="programlisting"> -*/* application/vnd.cups-raw 0 - -</pre><p> - -and would effectively send <span class="emphasis"><em>all</em></span> files to the -backend without further processing. -</p><p> -You could have the following entry: - -</p><pre class="programlisting"> -application/vnd.cups-postscript application/vnd.cups-raw 0 \ - my_PJL_stripping_filter -</pre><p> - -You will need to write a <em class="parameter"><code>my_PJL_stripping_filter</code></em> -(which could be a shell script) that parses the PostScript and removes the -unwanted PJL. This needs to conform to CUPS filter design -(mainly, receive and pass the parameters printername, job-id, -username, jobtitle, copies, print options, and possibly the -filename). It is installed as world executable into -<code class="filename">/usr/lib/cups/filters/</code> and is called by CUPS -if it encounters a MIME type <em class="parameter"><code>application/vnd.cups-postscript</code></em>. -</p><p> -CUPS can handle <em class="parameter"><code>-o job-hold-until=indefinite</code></em>. -This keeps the job in the queue on hold. It will only be printed -upon manual release by the printer operator. This is a requirement in -many central reproduction departments, where a few operators manage -the jobs of hundreds of users on some big machine, where no user is -allowed to have direct access (such as when the operators often need -to load the proper paper type before running the 10,000 page job -requested by marketing for the mailing, and so on). -</p></div><div class="sect1" title="Autodeletion or Preservation of CUPS Spool Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id412700"></a>Autodeletion or Preservation of CUPS Spool Files</h2></div></div></div><p> -<a class="indexterm" name="id412708"></a> -<a class="indexterm" name="id412715"></a> -<a class="indexterm" name="id412722"></a> -Samba print files pass through two spool directories. One is the incoming directory managed by Samba (set in -the <a class="link" href="smb.conf.5.html#PATH" target="_top">path = /var/spool/samba</a> directive in the <em class="parameter"><code>[printers]</code></em> section of <code class="filename">smb.conf</code>). The other is the spool directory of your UNIX print subsystem. For -CUPS it is normally <code class="filename">/var/spool/cups/</code>, as set by the <code class="filename">cupsd.conf</code> -directive <code class="filename">RequestRoot /var/spool/cups</code>. -</p><div class="sect2" title="CUPS Configuration Settings Explained"><div class="titlepage"><div><div><h3 class="title"><a name="id412773"></a>CUPS Configuration Settings Explained</h3></div></div></div><p> -Some important parameter settings in the CUPS configuration file -<code class="filename">cupsd.conf</code> are: -</p><div class="variablelist"><dl><dt><span class="term">PreserveJobHistory Yes</span></dt><dd><p> - This keeps some details of jobs in cupsd's mind (well, it keeps the - c12345, c12346, and so on, files in the CUPS spool directory, which does a - similar job as the old-fashioned BSD-LPD control files). This is set - to <span class="quote">“<span class="quote">Yes</span>”</span> as a default. - </p></dd><dt><span class="term">PreserveJobFiles Yes</span></dt><dd><p> - This keeps the job files themselves in cupsd's mind - (it keeps the d12345, d12346, etc., files in the CUPS spool - directory). This is set to <span class="quote">“<span class="quote">No</span>”</span> as the CUPS - default. - </p></dd><dt><span class="term"><span class="quote">“<span class="quote">MaxJobs 500</span>”</span></span></dt><dd><p> - This directive controls the maximum number of jobs - that are kept in memory. Once the number of jobs reaches the limit, - the oldest completed job is automatically purged from the system to - make room for the new one. If all of the known jobs are still - pending or active, then the new job will be rejected. Setting the - maximum to 0 disables this functionality. The default setting is - 0. - </p></dd></dl></div><p> -(There are also additional settings for <em class="parameter"><code>MaxJobsPerUser</code></em> and -<em class="parameter"><code>MaxJobsPerPrinter</code></em>.) -</p></div><div class="sect2" title="Preconditions"><div class="titlepage"><div><div><h3 class="title"><a name="id412850"></a>Preconditions</h3></div></div></div><p> -For everything to work as it should, you need to have three things: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A Samba smbd that is compiled against <code class="filename">libcups</code> (check - on Linux by running <strong class="userinput"><code>ldd `which smbd'</code></strong>).</p></li><li class="listitem"><p>A Samba-<code class="filename">smb.conf</code> setting of - <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = cups</a>.</p></li><li class="listitem"><p>Another Samba <code class="filename">smb.conf</code> setting of - <a class="link" href="smb.conf.5.html#PRINTCAP" target="_top">printcap = cups</a>.</p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -In this case, all other manually set printing-related commands (like -<a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a>, -<a class="link" href="smb.conf.5.html#LPQCOMMAND" target="_top">lpq command</a>, -<a class="link" href="smb.conf.5.html#LPRMCOMMAND" target="_top">lprm command</a>, -<a class="link" href="smb.conf.5.html#LPPAUSECOMMAND" target="_top">lppause command</a>, and -<a class="link" href="smb.conf.5.html#LPRESUMECOMMAND" target="_top">lpresume command</a>) are ignored, and they should normally have no -influence whatsoever on your printing. -</p></div></div><div class="sect2" title="Manual Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id412978"></a>Manual Configuration</h3></div></div></div><p> -If you want to do things manually, replace the <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = cups</a> -by <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = bsd</a>. Then your manually set commands may work -(I haven't tested this), and a <a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command = lp -d %P %s; rm %s</a> -may do what you need. -</p></div></div><div class="sect1" title="Printing from CUPS to Windows-Attached Printers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id413023"></a>Printing from CUPS to Windows-Attached Printers</h2></div></div></div><p> -<a class="indexterm" name="id413031"></a> -<a class="indexterm" name="id413037"></a> -From time to time the question arises, how can you print <span class="emphasis"><em>to</em></span> a Windows-attached printer -<span class="emphasis"><em>from</em></span> Samba? Normally the local connection from Windows host to printer would be done by -USB or parallel cable, but this does not matter to Samba. From here only an SMB connection needs to be opened -to the Windows host. Of course, this printer must be shared first. As you have learned by now, CUPS uses -<span class="emphasis"><em>backends</em></span> to talk to printers and other servers. To talk to Windows shared printers, you -need to use the <code class="filename">smb</code> (surprise, surprise!) backend. Check if this is in the CUPS backend -directory. This usually resides in <code class="filename">/usr/lib/cups/backend/</code>. You need to find an -<code class="filename">smb</code> file there. It should be a symlink to <code class="filename">smbspool</code>, and the file -must exist and be executable: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ls -l /usr/lib/cups/backend/</code></strong> -total 253 -drwxr-xr-x 3 root root 720 Apr 30 19:04 . -drwxr-xr-x 6 root root 125 Dec 19 17:13 .. --rwxr-xr-x 1 root root 10692 Feb 16 21:29 canon --rwxr-xr-x 1 root root 10692 Feb 16 21:29 epson -lrwxrwxrwx 1 root root 3 Apr 17 22:50 http -> ipp --rwxr-xr-x 1 root root 17316 Apr 17 22:50 ipp --rwxr-xr-x 1 root root 15420 Apr 20 17:01 lpd --rwxr-xr-x 1 root root 8656 Apr 20 17:01 parallel --rwxr-xr-x 1 root root 2162 Mar 31 23:15 pdfdistiller -lrwxrwxrwx 1 root root 25 Apr 30 19:04 ptal -> /usr/sbin/ptal-cups --rwxr-xr-x 1 root root 6284 Apr 20 17:01 scsi -lrwxrwxrwx 1 root root 17 Apr 2 03:11 smb -> /usr/bin/smbspool --rwxr-xr-x 1 root root 7912 Apr 20 17:01 socket --rwxr-xr-x 1 root root 9012 Apr 20 17:01 usb - -<code class="prompt">root# </code><strong class="userinput"><code>ls -l `which smbspool`</code></strong> --rwxr-xr-x 1 root root 563245 Dec 28 14:49 /usr/bin/smbspool -</pre><p> -If this symlink does not exist, create it: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ln -s `which smbspool` /usr/lib/cups/backend/smb</code></strong> -</pre><p> -<a class="indexterm" name="id413146"></a> -<a class="indexterm" name="id413153"></a> -<code class="literal">smbspool</code> was written by Mike Sweet from the CUPS folks. It is included and ships with -Samba. It may also be used with print subsystems other than CUPS, to spool jobs to Windows printer shares. To -set up printer <em class="replaceable"><code>winprinter</code></em> on CUPS, you need to have a driver for it. Essentially -this means to convert the print data on the CUPS/Samba host to a format that the printer can digest (the -Windows host is unable to convert any files you may send). This also means you should be able to print to the -printer if it were hooked directly at your Samba/CUPS host. For troubleshooting purposes, this is what you -should do to determine if that part of the process chain is in order. Then proceed to fix the network -connection/authentication to the Windows host, and so on. -</p><p> -To install a printer with the <em class="parameter"><code>smb</code></em> backend on CUPS, use this command: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename \ - -P /path/to/PPD</code></strong> -</pre><p> -<a class="indexterm" name="id413205"></a> -<a class="indexterm" name="id413212"></a> -<a class="indexterm" name="id413218"></a> -The PPD must be able to direct CUPS to generate the print data for the target model. For PostScript printers, -just use the PPD that would be used with the Windows NT PostScript driver. But what can you do if the printer -is only accessible with a password? Or if the printer's host is part of another workgroup? This is provided -for: You can include the required parameters as part of the <code class="filename">smb://</code> device-URI like this: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><code class="filename">smb://WORKGROUP/WINDOWSNETBIOSNAME/printersharename</code></p></li><li class="listitem"><p><code class="filename">smb://username:password@WORKGROUP/WINDOWSNETBIOSNAME/printersharename</code></p></li><li class="listitem"><p><code class="filename">smb://username:password@WINDOWSNETBIOSNAME/printersharename</code></p></li></ul></div><p> -Note that the device URI will be visible in the process list of the Samba server (e.g., when someone uses the -<code class="literal">ps -aux</code> command on Linux), even if the username and passwords are sanitized before they get -written into the log files. This is an inherently insecure option; however, it is the only one. Don't use it -if you want to protect your passwords. Better share the printer in a way that does not require a password! -Printing will only work if you have a working NetBIOS name resolution up and running. Note that this is a -feature of CUPS and you do not necessarily need to have smbd running. - -</p></div><div class="sect1" title="More CUPS Filtering Chains"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id413279"></a>More CUPS Filtering Chains</h2></div></div></div><p> -The diagrams in <a class="link" href="CUPS-printing.html#cups1" title="Figure 22.17. Filtering Chain 1.">Filtering Chain 1</a> and <a class="link" href="CUPS-printing.html#cups2" title="Figure 22.18. Filtering Chain with cupsomatic">Filtering Chain with -cupsomatic</a> show how CUPS handles print jobs. -</p><div class="figure"><a name="cups1"></a><p class="title"><b>Figure 22.17. Filtering Chain 1.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/cups1.png" alt="Filtering Chain 1."></div></div></div><br class="figure-break"><div class="figure"><a name="cups2"></a><p class="title"><b>Figure 22.18. Filtering Chain with cupsomatic</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/cups2.png" width="243" alt="Filtering Chain with cupsomatic"></div></div></div><br class="figure-break"></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id413388"></a>Common Errors</h2></div></div></div><div class="sect2" title="Windows 9x/Me Client Can't Install Driver"><div class="titlepage"><div><div><h3 class="title"><a name="id413394"></a>Windows 9x/Me Client Can't Install Driver</h3></div></div></div><p>For Windows 9x/Me, clients require the printer names to be eight - characters (or <span class="quote">“<span class="quote">8 plus 3 chars suffix</span>”</span>) max; otherwise, the driver files - will not get transferred when you want to download them from Samba.</p></div><div class="sect2" title="“cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop"><div class="titlepage"><div><div><h3 class="title"><a name="root-ask-loop"></a><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Keeps Asking for Root Password in Never-ending Loop</h3></div></div></div><p>Have you set <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a>? Have - you used <code class="literal">smbpasswd</code> to give root a Samba account? - You can do two things: open another terminal and execute - <code class="literal">smbpasswd -a root</code> to create the account and - continue entering the password into the first terminal. Or, break - out of the loop by pressing Enter twice (without trying to type a - password).</p><p> - If the error is <span class="quote">“<span class="quote">Tree connect failed: NT_STATUS_BAD_NETWORK_NAME</span>”</span>, - you may have forgotten to create the <code class="filename">/etc/samba/drivers</code> directory. - </p></div><div class="sect2" title="“cupsaddsmb” or “rpcclient addriver” Emit Error"><div class="titlepage"><div><div><h3 class="title"><a name="id413464"></a><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> or <span class="quote">“<span class="quote">rpcclient addriver</span>”</span> Emit Error</h3></div></div></div><p> - If <code class="literal">cupsaddsmb</code>, or <code class="literal">rpcclient addriver</code> emit the error message - WERR_BAD_PASSWORD, refer to <a class="link" href="CUPS-printing.html#root-ask-loop" title="“cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop">the previous common error</a>. - </p></div><div class="sect2" title="“cupsaddsmb” Errors"><div class="titlepage"><div><div><h3 class="title"><a name="id413500"></a><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Errors</h3></div></div></div><p> - The use of <span class="quote">“<span class="quote">cupsaddsmb</span>”</span> gives <span class="quote">“<span class="quote">No PPD file for printer...</span>”</span> - message while PPD file is present. What might the problem be? - </p><p> - Have you enabled printer sharing on CUPS? This means, do you have a <code class="literal"><Location - /printers>....</Location></code> section in CUPS server's <code class="filename">cupsd.conf</code> that - does not deny access to the host you run <span class="quote">“<span class="quote">cupsaddsmb</span>”</span> from? It <span class="emphasis"><em>could</em></span> be an - issue if you use cupsaddsmb remotely, or if you use it with a <code class="option">-h</code> parameter: - <strong class="userinput"><code>cupsaddsmb -H sambaserver -h cupsserver -v printername</code></strong>. - </p><p>Is your <em class="parameter"><code>TempDir</code></em> directive in - <code class="filename">cupsd.conf</code> set to a valid value, and is it writable? - </p></div><div class="sect2" title="Client Can't Connect to Samba Printer"><div class="titlepage"><div><div><h3 class="title"><a name="id413571"></a>Client Can't Connect to Samba Printer</h3></div></div></div><p>Use <code class="literal">smbstatus</code> to check which user - you are from Samba's point of view. Do you have the privileges to - write into the <em class="parameter"><code>[print$]</code></em> - share?</p></div><div class="sect2" title="New Account Reconnection from Windows 200x/XP Troubles"><div class="titlepage"><div><div><h3 class="title"><a name="id413594"></a>New Account Reconnection from Windows 200x/XP Troubles</h3></div></div></div><p> -Once you are connected as the wrong user (for example, as <code class="constant">nobody</code>, which often occurs if -you have <a class="link" href="smb.conf.5.html#MAPTOGUEST" target="_top">map to guest = bad user</a>), Windows Explorer will not accept an -attempt to connect again as a different user. There will not be any bytes transferred on the wire to Samba, -but still you'll see a stupid error message that makes you think Samba has denied access. Use -<code class="literal">smbstatus</code> to check for active connections. Kill the PIDs. You still can't re-connect, and -you get the dreaded <code class="computeroutput">You can't connect with a second account from the same -machine</code> message as soon as you try. And you do not see a single byte arriving at Samba (see -logs; use <span class="quote">“<span class="quote">ethereal</span>”</span>) indicating a renewed connection attempt. Shut all Explorer Windows. This -makes Windows forget what it has cached in its memory as established connections. Then reconnect as the right -user. The best method is to use a DOS terminal window and <span class="emphasis"><em>first</em></span> do <strong class="userinput"><code>net use z: -\\GANDALF\print$ /user:root</code></strong>. Check with <code class="literal">smbstatus</code> that you are -connected under a different account. Now open the <span class="guilabel">Printers</span> folder (on the Samba server in -the <span class="guilabel">Network Neighborhood</span>), right-click on the printer in question, and select -<span class="guibutton">Connect....</span>. -</p></div><div class="sect2" title="Avoid Being Connected to the Samba Server as the Wrong User"><div class="titlepage"><div><div><h3 class="title"><a name="id413674"></a>Avoid Being Connected to the Samba Server as the Wrong User</h3></div></div></div><p> -<a class="indexterm" name="id413682"></a> -You see per <code class="literal">smbstatus</code> that you are connected as user nobody, but you want to be root or -printer admin. This is probably due to <a class="link" href="smb.conf.5.html#MAPTOGUEST" target="_top">map to guest = bad user</a>, which -silently connected you under the guest account when you gave (maybe by accident) an incorrect username. Remove -<a class="link" href="smb.conf.5.html#MAPTOGUEST" target="_top">map to guest</a> if you want to prevent this. -</p></div><div class="sect2" title="Upgrading to CUPS Drivers from Adobe Drivers"><div class="titlepage"><div><div><h3 class="title"><a name="id413721"></a>Upgrading to CUPS Drivers from Adobe Drivers</h3></div></div></div><p> -This information came from a mailing list posting regarding problems experienced when -upgrading from Adobe drivers to CUPS drivers on Microsoft Windows NT/200x/XP clients. -</p><p>First delete all old Adobe-using printers. Then delete all old Adobe drivers. (On Windows 200x/XP, right-click in -the background of <span class="guilabel">Printers</span> folder, select <span class="guimenuitem">Server Properties...</span>, select -tab <span class="guilabel">Drivers</span>, and delete here).</p></div><div class="sect2" title="Can't Use “cupsaddsmb” on Samba Server, Which Is a PDC"><div class="titlepage"><div><div><h3 class="title"><a name="id413755"></a>Can't Use <span class="quote">“<span class="quote">cupsaddsmb</span>”</span> on Samba Server, Which Is a PDC</h3></div></div></div><p>Do you use the <span class="quote">“<span class="quote">naked</span>”</span> root user name? Try to do it -this way: <strong class="userinput"><code>cupsaddsmb -U <em class="replaceable"><code>DOMAINNAME</code></em>\\root -v -<em class="replaceable"><code>printername</code></em></code></strong>> (note the two backslashes: the first one is -required to <span class="quote">“<span class="quote">escape</span>”</span> the second one).</p></div><div class="sect2" title="Deleted Windows 200x Printer Driver Is Still Shown"><div class="titlepage"><div><div><h3 class="title"><a name="id413790"></a>Deleted Windows 200x Printer Driver Is Still Shown</h3></div></div></div><p>Deleting a printer on the client will not delete the -driver too (to verify, right-click on the white background of the -<span class="guilabel">Printers</span> folder, select <span class="guimenuitem">Server Properties</span> and click on the -<span class="guilabel">Drivers</span> tab). These same old drivers will be re-used when you try to -install a printer with the same name. If you want to update to a new -driver, delete the old ones first. Deletion is only possible if no -other printer uses the same driver.</p></div><div class="sect2" title="Windows 200x/XP Local Security Policies"><div class="titlepage"><div><div><h3 class="title"><a name="id413821"></a>Windows 200x/XP Local Security Policies</h3></div></div></div><a class="indexterm" name="id413826"></a><a class="indexterm" name="id413833"></a><p>Local security policies may not allow the installation of unsigned drivers <span class="quote">“<span class="quote">local -security policies</span>”</span> may not allow the installation of printer drivers at all.</p></div><div class="sect2" title="Administrator Cannot Install Printers for All Local Users"><div class="titlepage"><div><div><h3 class="title"><a name="id413852"></a>Administrator Cannot Install Printers for All Local Users</h3></div></div></div><p> -<a class="indexterm" name="id413860"></a> -<a class="indexterm" name="id413866"></a> -Windows XP handles SMB printers on a <span class="quote">“<span class="quote">per-user</span>”</span> basis. -This means every user needs to install the printer himself or herself. To have a printer available for -everybody, you might want to use the built-in IPP client capabilities of Win XP. Add a printer with the print -path of <em class="parameter"><code>http://cupsserver:631/printers/printername</code></em>. We're still looking into this one. -Maybe a logon script could automatically install printers for all users. -</p></div><div class="sect2" title="Print Change, Notify Functions on NT Clients"><div class="titlepage"><div><div><h3 class="title"><a name="id413888"></a>Print Change, Notify Functions on NT Clients</h3></div></div></div><p>For print change, notify functions on NT++ clients. These need to run the <code class="literal">Server</code> -service first (renamed to <code class="literal">File & Print Sharing for MS Networks</code> in XP).</p></div><div class="sect2" title="Windows XP SP1"><div class="titlepage"><div><div><h3 class="title"><a name="id413911"></a>Windows XP SP1</h3></div></div></div><p>Windows XP SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to -<span class="quote">“<span class="quote">Administrator</span>”</span> or <span class="quote">“<span class="quote">Power User</span>”</span> groups of users). In Group Policy Object Editor, go -to <span class="guimenu">User Configuration -> Administrative Templates -> Control Panel -> Printers</span>. The policy -is automatically set to <code class="constant">Enabled</code> and the <code class="constant">Users can only Point and Print to -machines in their Forest</code> . You probably need to change it to <code class="constant">Disabled</code> or -<code class="constant">Users can only Point and Print to these servers</code> to make driver downloads from Samba -possible. -</p></div><div class="sect2" title="Print Options for All Users Can't Be Set on Windows 200x/XP"><div class="titlepage"><div><div><h3 class="title"><a name="id413953"></a>Print Options for All Users Can't Be Set on Windows 200x/XP</h3></div></div></div><p>How are you doing it? I bet the wrong way (it is not easy to find out, though). There are three -different ways to bring you to a dialog that <span class="emphasis"><em>seems</em></span> to set everything. All three dialogs -<span class="emphasis"><em>look</em></span> the same, yet only one of them does what you intend. You need to be Administrator or -Print Administrator to do this for all users. Here is how I do it on XP: -</p><div class="orderedlist"><ol class="orderedlist" type="A"><li class="listitem"><p>The first wrong way: - - </p><div class="orderedlist"><ol class="orderedlist" type="I"><li class="listitem"><p>Open the <span class="guilabel">Printers</span> - folder.</p></li><li class="listitem"><p>Right-click on the printer - (<span class="guilabel">remoteprinter on cupshost</span>) and - select in context menu <span class="guimenuitem">Printing - Preferences...</span></p></li><li class="listitem"><p>Look at this dialog closely and remember what it looks like.</p></li></ol></div><p> - </p></li><li class="listitem"><p>The second wrong way: - </p><div class="orderedlist"><ol class="orderedlist" type="I"><li class="listitem"><p>Open the <span class="guilabel">Printers</span> folder.</p></li><li class="listitem"><p>Right-click on the printer (<span class="guilabel">remoteprinter on - cupshost</span>) and select the context menu - <span class="guimenuitem">Properties</span>.</p></li><li class="listitem"><p>Click on the <span class="guilabel">General</span> tab.</p></li><li class="listitem"><p>Click on the button <span class="guibutton">Printing - Preferences...</span></p></li><li class="listitem"><p>A new dialog opens. Keep this dialog open and go back - to the parent dialog.</p></li></ol></div><p> - </p></li><li class="listitem"><p>The third and correct way: - </p><div class="orderedlist"><ol class="orderedlist" type="I"><li class="listitem"><p>Open the <span class="guilabel">Printers</span> folder.</p></li><li class="listitem"><p>Right-click on the printer (<span class="guilabel">remoteprinter on - cupshost</span>) and select the context menu - <span class="guimenuitem">Properties</span>.</p></li><li class="listitem"><p>Click on the <span class="guilabel">Advanced</span> - tab. (If everything is <span class="quote">“<span class="quote">grayed out,</span>”</span> then you are not logged - in as a user with enough privileges).</p></li><li class="listitem"><p>Click on the <span class="guibutton">Printing - Defaults...</span> button.</p></li><li class="listitem"><p>On any of the two new tabs, click on the - <span class="guibutton">Advanced...</span> button.</p></li><li class="listitem"><p>A new dialog opens. Compare this one to the other - identical-looking one from step <span class="quote">“<span class="quote">B.5</span>”</span> or A.3".</p></li></ol></div><p> - </p></li></ol></div><p> -Do you see any difference? I don't either. However, only the last one, which you arrived at with steps -<span class="quote">“<span class="quote">C.1. to C.6.</span>”</span>, will save any settings permanently and be the defaults for new users. If you want -all clients to get the same defaults, you need to conduct these steps <span class="emphasis"><em>as Administrator</em></span> -(<a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> in <code class="filename">smb.conf</code>) <span class="emphasis"><em>before</em></span> a client downloads the -driver (the clients can later set their own <span class="emphasis"><em>per-user defaults</em></span> by following the procedures -<span class="emphasis"><em>A</em></span> or <span class="emphasis"><em>B</em></span>). -</p></div><div class="sect2" title="Most Common Blunders in Driver Settings on Windows Clients"><div class="titlepage"><div><div><h3 class="title"><a name="id414222"></a>Most Common Blunders in Driver Settings on Windows Clients</h3></div></div></div><p> -Don't use <em class="parameter"><code>Optimize for Speed</code></em>, but use <em class="parameter"><code>Optimize for Portability</code></em> -instead (Adobe PS Driver). Don't use <em class="parameter"><code>Page Independence: No</code></em>. Always settle with -<em class="parameter"><code>Page Independence: Yes</code></em> (Microsoft PS Driver and CUPS PS Driver for Windows NT/200x/XP). -If there are problems with fonts, use <em class="parameter"><code>Download as Softfont into printer</code></em> (Adobe PS -Driver). For <span class="guilabel">TrueType Download Options</span> choose <code class="constant">Outline</code>. Use -PostScript Level 2 if you are having trouble with a non-PS printer and if there is a choice. -</p></div><div class="sect2" title="cupsaddsmb Does Not Work with Newly Installed Printer"><div class="titlepage"><div><div><h3 class="title"><a name="id414274"></a><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</h3></div></div></div><p> -Symptom: The last command of <code class="literal">cupsaddsmb</code> does not complete successfully. If the <code class="literal">cmd -= setdriver printername printername</code> result was NT_STATUS_UNSUCCESSFUL, then possibly the printer was -not yet recognized by Samba. Did it show up in Network Neighborhood? Did it show up in <code class="literal">rpcclient -hostname -c `enumprinters'</code>? Restart smbd (or send a <code class="literal">kill -HUP</code> to all processes -listed by <code class="literal">smbstatus</code>, and try again. -</p></div><div class="sect2" title="Permissions on /var/spool/samba/ Get Reset After Each Reboot"><div class="titlepage"><div><div><h3 class="title"><a name="id414320"></a>Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</h3></div></div></div><p> -Have you ever by accident set the CUPS spool directory to the same location (<em class="parameter"><code>RequestRoot -/var/spool/samba/</code></em> in <code class="filename">cupsd.conf</code> or the other way round: -<code class="filename">/var/spool/cups/</code> is set as <a class="link" href="smb.conf.5.html#PATH" target="_top">path</a>> in the <em class="parameter"><code>[printers]</code></em> section)? These <em class="parameter"><code>must</code></em> be different. Set <em class="parameter"><code>RequestRoot -/var/spool/cups/</code></em> in <code class="filename">cupsd.conf</code> and <a class="link" href="smb.conf.5.html#PATH" target="_top">path = -/var/spool/samba</a> in the <em class="parameter"><code>[printers]</code></em> section of <code class="filename">smb.conf</code>. Otherwise, -cupsd will sanitize permissions to its spool directory with each restart and printing will not work reliably. -</p></div><div class="sect2" title="Print Queue Called “lp” Mishandles Print Jobs"><div class="titlepage"><div><div><h3 class="title"><a name="id414413"></a>Print Queue Called <span class="quote">“<span class="quote">lp</span>”</span> Mishandles Print Jobs</h3></div></div></div><p> -In this case a print queue called <span class="quote">“<span class="quote">lp</span>”</span> intermittently swallows jobs and -spits out completely different ones from what was sent. -</p><p> -<a class="indexterm" name="id414432"></a> -<a class="indexterm" name="id414439"></a> -<a class="indexterm" name="id414446"></a> -It is a bad idea to name any printer <span class="quote">“<span class="quote">lp</span>”</span>. This is the traditional UNIX name for the default -printer. CUPS may be set up to do an automatic creation of Implicit Classes. This means, to group all printers -with the same name to a pool of devices and load-balance the jobs across them in a round-robin fashion. -Chances are high that someone else has a printer named <span class="quote">“<span class="quote">lp</span>”</span> too. You may receive that person's -jobs and send your own to his or her device unwittingly. To have tight control over the printer names, set -<em class="parameter"><code>BrowseShortNames No</code></em>. It will present any printer as -<em class="replaceable"><code>printername@cupshost</code></em>, which gives you better control over what may happen in a -large networked environment. -</p></div><div class="sect2" title="Location of Adobe PostScript Driver Files for “cupsaddsmb”"><div class="titlepage"><div><div><h3 class="title"><a name="id414476"></a>Location of Adobe PostScript Driver Files for <span class="quote">“<span class="quote">cupsaddsmb</span>”</span></h3></div></div></div><p> -Use <code class="literal">smbclient</code> to connect to any Windows box with a shared PostScript printer: -<code class="literal">smbclient //windowsbox/print\$ -U guest</code>. You can navigate to the -<code class="filename">W32X86/2</code> subdir to <code class="literal">mget ADOBE*</code> and other files or to -<code class="filename">WIN40/0</code> to do the same. Another option is to download the <code class="filename">*.exe</code> -packaged files from the Adobe Web site. -</p></div></div><div class="sect1" title="Overview of the CUPS Printing Processes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414527"></a>Overview of the CUPS Printing Processes</h2></div></div></div><p> -A complete overview of the CUPS printing processes can be found in <a class="link" href="CUPS-printing.html#a_small" title="Figure 22.19. CUPS Printing Overview.">the CUPS -Printing Overview diagram</a>. -</p><div class="figure"><a name="a_small"></a><p class="title"><b>Figure 22.19. CUPS Printing Overview.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/a_small.png" width="243" alt="CUPS Printing Overview."></div></div></div><br class="figure-break"></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id404773" href="#id404773" class="para">6</a>] </sup>See also <a class="ulink" href="http://www.cups.org/cups-help.html" target="_top">http://www.cups.org/cups-help.html</a></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="classicalprinting.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Classical Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. Stackable VFS modules</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html b/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html deleted file mode 100644 index 2ef494ffac..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/ChangeNotes.html +++ /dev/null @@ -1,144 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 9. Important and Critical Change Notes for the Samba 3.x Series"><div class="titlepage"><div><div><h2 class="title"><a name="ChangeNotes"></a>Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ChangeNotes.html#id348938">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id348949">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id348997">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349287">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349400">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></div><p> -Please read this chapter carefully before update or upgrading Samba. You should expect to find only critical -or very important information here. Comprehensive change notes and guidance information can be found in the -section <a class="link" href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba">Updating and Upgrading Samba</a>. -</p><div class="sect1" title="Important Samba-3.2.x Change Notes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id348938"></a>Important Samba-3.2.x Change Notes</h2></div></div></div><p> -!!!!!!!!!!!!Add all critical update notes here!!!!!!!!!!!!! -</p></div><div class="sect1" title="Important Samba-3.0.x Change Notes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id348949"></a>Important Samba-3.0.x Change Notes</h2></div></div></div><p> -These following notes pertain in particular to Samba 3.0.23 through Samba 3.0.25c (or more recent 3.0.25 -update). Samba is a fluid and ever changing project. Changes throughout the 3.0.x series release are -documented in this documention - See <a class="link" href="upgrading-to-3.0.html#oldupdatenotes" title="Upgrading from Samba-2.x to Samba-3.0.25">Upgrading from Samba-2.x to Samba-3.0.25</a>. -</p><p> -Sometimes it is difficult to figure out which part, or parts, of the HOWTO documentation should be updated to -reflect the impact of new or modified features. At other times it becomes clear that the documentation is in -need of being restructured. -</p><p> -In recent times a group of Samba users has joined the thrust to create a new <a class="ulink" href="http://wiki.samba.org/" target="_top">Samba Wiki</a> that is slated to become the all-singing and all-dancing -new face of Samba documentation. Hopefully, the Wiki will benefit from greater community input and -thus may be kept more up to date. Until that golden dream materializes and matures it is necessary to -continue to maintain the HOWTO. This chapter will document major departures from earlier behavior until -such time as the body of this HOWTO is restructured or modified. -</p><p> -This chapter is new to the release of the HOWTO for Samba 3.0.23. It includes much of the notes provided -in the <code class="filename">WHATSNEW.txt</code> file that is included with the Samba source code release tarball. -</p><div class="sect2" title="User and Group Changes"><div class="titlepage"><div><div><h3 class="title"><a name="id348997"></a>User and Group Changes</h3></div></div></div><p> -The change documented here affects unmapped user and group accounts only. -</p><p> -<a class="indexterm" name="id349009"></a> -<a class="indexterm" name="id349016"></a> -<a class="indexterm" name="id349023"></a> -<a class="indexterm" name="id349032"></a> -<a class="indexterm" name="id349040"></a> -The user and group internal management routines have been rewritten to prevent overlaps of -assigned Relative Identifiers (RIDs). In the past the has been a potential problem when -either manually mapping Unix groups with the <code class="literal">net groupmap</code> command or -when migrating a Windows domain to a Samba domain by executing: -<code class="literal">net rpc vampire</code>. -</p><p> -<a class="indexterm" name="id349069"></a> -<a class="indexterm" name="id349076"></a> -<a class="indexterm" name="id349082"></a> -<a class="indexterm" name="id349089"></a> -Unmapped users are now assigned a SID in the <code class="literal">S-1-22-1</code> domain and unmapped -groups are assigned a SID in the <code class="literal">S-1-22-2</code> domain. Previously they were -assigned a RID within the SAM on the Samba server. For a domain controller this would have been under the -authority of the domain SID where as on a member server or standalone server, this would have -been under the authority of the local SAM (see the man page for <code class="literal">net getlocalsid</code>). -</p><p> -<a class="indexterm" name="id349122"></a> -<a class="indexterm" name="id349129"></a> -<a class="indexterm" name="id349136"></a> -<a class="indexterm" name="id349142"></a> -<a class="indexterm" name="id349149"></a> -The result is that any unmapped users or groups on an upgraded Samba domain controller may -be assigned a new SID. Because the SID rather than a name is stored in Windows security -descriptors, this can cause a user to no longer have access to a resource for example if a -file was copied from a Samba file server to a local Windows client NTFS partition. Any files -stored on the Samba server itself will continue to be accessible because UNIX stores the UNIX -GID and not the SID for authorization checks. -</p><p> -An example helps to illustrate the change: -</p><p> -<a class="indexterm" name="id349167"></a> -<a class="indexterm" name="id349174"></a> -<a class="indexterm" name="id349180"></a> -<a class="indexterm" name="id349187"></a> -Assume that a group named <span class="emphasis"><em>developers</em></span> exists with a UNIX GID of 782. In this -case this group does not exist in Samba's group mapping table. It would be perfectly normal for -this group to be appear in an ACL editor. Prior to Samba-3.0.23, the group SID might appear as -<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code>. -</p><p> -<a class="indexterm" name="id349208"></a> -<a class="indexterm" name="id349215"></a> -<a class="indexterm" name="id349222"></a> -<a class="indexterm" name="id349229"></a> -With the release of Samba-3.0.23, the group SID would be reported as <code class="literal">S-1-22-2-782</code>. Any -security descriptors associated with files stored on a Windows NTFS disk partition will not allow access based -on the group permissions if the user was not a member of the -<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> group. Because this group SID is -<code class="literal">S-1-22-2-782</code> and not reported in a user's token, Windows would fail the authorization check -even though both SIDs in some respect refer to the same UNIX group. -</p><p> -<a class="indexterm" name="id349260"></a> -<a class="indexterm" name="id349267"></a> -The workaround for versions of Samba prior to 3.0.23, is to create a manual domain group mapping -entry for the group <span class="emphasis"><em>developers</em></span> to point at the -<code class="literal">S-1-5-21-647511796-4126122067-3123570092-2565</code> SID. With the release of Samba-3.0.23 this -workaround is no longer needed. -</p></div><div class="sect2" title="Essential Group Mappings"><div class="titlepage"><div><div><h3 class="title"><a name="id349287"></a>Essential Group Mappings</h3></div></div></div><p> -Samba 3.0.x series releases before 3.0.23 automatically created group mappings for the essential Windows -domain groups <code class="literal">Domain Admins, Domain Users, Domain Guests</code>. Commencing with Samba 3.0.23 -these mappings need to be created by the Samba administrator. Failure to do this may result in a failure to -correctly authenticate and recoognize valid domain users. When this happens users will not be able to log onto -the Windows client. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Group mappings are essentail only if the Samba servers is running as a PDC/BDC. Stand-alone servers do not -require these group mappings. -</p></div><p> -The following mappings are required: -</p><div class="table"><a name="TOSH-domgroups"></a><p class="title"><b>Table 9.1. Essential Domain Group Mappings</b></p><div class="table-contents"><table summary="Essential Domain Group Mappings" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Domain Group</th><th align="center">RID</th><th align="center">Example UNIX Group</th></tr></thead><tbody><tr><td align="center">Domain Admins</td><td align="center">512</td><td align="center">root</td></tr><tr><td align="center">Domain Users</td><td align="center">513</td><td align="center">users</td></tr><tr><td align="center">Domain Guests</td><td align="center">514</td><td align="center">nobody</td></tr></tbody></table></div></div><br class="table-break"><p> -When the POSIX (UNIX) groups are stored in LDAP, it may be desirable to call these <code class="literal">domadmins, domusers, -domguests</code> respectively. -</p><p> -For further information regarding group mappings see <a class="link" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">Group Mapping: MS Windows -and UNIX</a>. -</p></div><div class="sect2" title="Passdb Changes"><div class="titlepage"><div><div><h3 class="title"><a name="id349400"></a>Passdb Changes</h3></div></div></div><p> -<a class="indexterm" name="id349408"></a> -<a class="indexterm" name="id349414"></a> -<a class="indexterm" name="id349421"></a> -<a class="indexterm" name="id349428"></a> -The <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a> parameter no longer accepts multiple passdb backends in a -chained configuration. Also be aware that the SQL and XML based passdb modules have been -removed in the Samba-3.0.23 release. More information regarding external support for a SQL -passdb module can be found on the <a class="ulink" href="http://pdbsql.sourceforge.net/" target="_top">pdbsql</a> web site. -</p></div><div class="sect2" title="Group Mapping Changes in Samba-3.0.23"><div class="titlepage"><div><div><h3 class="title"><a name="id349457"></a>Group Mapping Changes in Samba-3.0.23</h3></div></div></div><p> -<a class="indexterm" name="id349464"></a> -<a class="indexterm" name="id349471"></a> -<a class="indexterm" name="id349478"></a> -<a class="indexterm" name="id349484"></a> -<a class="indexterm" name="id349491"></a> -<a class="indexterm" name="id349498"></a> -<a class="indexterm" name="id349505"></a> -<a class="indexterm" name="id349511"></a> -<a class="indexterm" name="id349518"></a> -<a class="indexterm" name="id349525"></a> -<a class="indexterm" name="id349531"></a> -The default mapping entries for groups such as <code class="literal">Domain Admins</code> are no longer -created when using an <code class="literal">smbpasswd</code> file or a <code class="literal">tdbsam</code> passdb -backend. This means that it is necessary to explicitly execute the <code class="literal">net groupmap add</code> -to create group mappings, rather than use the <code class="literal">net groupmap modify</code> method to create the -Windows group SID to UNIX GID mappings. This change has no effect on winbindd's IDMAP functionality -for domain groups. -</p></div><div class="sect2" title="LDAP Changes in Samba-3.0.23"><div class="titlepage"><div><div><h3 class="title"><a name="id349573"></a>LDAP Changes in Samba-3.0.23</h3></div></div></div><p> -<a class="indexterm" name="id349581"></a> -<a class="indexterm" name="id349588"></a> -<a class="indexterm" name="id349594"></a> -<a class="indexterm" name="id349601"></a> -<a class="indexterm" name="id349608"></a> -There has been a minor update the Samba LDAP schema file. A substring matching rule has been -added to the <code class="literal">sambaSID</code> attribute definition. For OpenLDAP servers, this -will require the addition of <code class="literal">index sambaSID sub</code> to the -<code class="filename">slapd.conf</code> configuration file. It will be necessary to execute the -<code class="literal">slapindex</code> command after making this change. There has been no change to the -actual data storage schema. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Network Browsing</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ClientConfig.html b/docs/htmldocs/Samba3-HOWTO/ClientConfig.html deleted file mode 100644 index fe6b6c1d3d..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/ClientConfig.html +++ /dev/null @@ -1,363 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 8. MS Windows Network Configuration Guide"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 8. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ClientConfig.html#id345986">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ClientConfig.html#id346039">Technical Details</a></span></dt><dd><dl><dt><span class="sect2"><a href="ClientConfig.html#id346080">TCP/IP Configuration</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></span></dt></dl></dd><dt><span class="sect1"><a href="ClientConfig.html#id348714">Common Errors</a></span></dt></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id345986"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id345993"></a> -<a class="indexterm" name="id346000"></a> -<a class="indexterm" name="id346007"></a> -Occasionally network administrators report difficulty getting Microsoft Windows clients to interoperate -correctly with Samba servers. It seems that some folks just cannot accept the fact that the right way -to configure an MS Windows network client is precisely as one would do when using MS Windows NT4 or 200x -servers. Yet there is repetitious need to provide detailed Windows client configuration instructions. -</p><p> -<a class="indexterm" name="id346020"></a> -<a class="indexterm" name="id346028"></a> -The purpose of this chapter is to graphically illustrate MS Windows client configuration for the most common -critical aspects of such configuration. An experienced network administrator will not be interested in the -details of this chapter. -</p></div><div class="sect1" title="Technical Details"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id346039"></a>Technical Details</h2></div></div></div><p> -<a class="indexterm" name="id346046"></a> -<a class="indexterm" name="id346053"></a> -This chapter discusses TCP/IP protocol configuration as well as network membership for the platforms -that are in common use today. These are: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Microsoft Windows XP Professional - </p></li><li class="listitem"><p> - Windows 2000 Professional - </p></li><li class="listitem"><p> - Windows Millennium edition (Me) - </p></li></ul></div><div class="sect2" title="TCP/IP Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id346080"></a>TCP/IP Configuration</h3></div></div></div><p> -<a class="indexterm" name="id346088"></a> -<a class="indexterm" name="id346094"></a> - The builder of a house must ensure that all construction takes place on a firm foundation. - The same is true for the builder of a TCP/IP-based networking system. Fundamental network configuration problems - will plague all network users until they are resolved. - </p><p> -<a class="indexterm" name="id346107"></a> -<a class="indexterm" name="id346114"></a> - MS Windows workstations and servers can be configured either with fixed - IP addresses or via DHCP. The examples that follow demonstrate the use of DHCP - and make only passing reference to those situations where fixed IP configuration - settings can be effected. - </p><p> -<a class="indexterm" name="id346126"></a> -<a class="indexterm" name="id346133"></a> - It is possible to use shortcuts or abbreviated keystrokes to arrive at a - particular configuration screen. The decision was made to base all examples in this - chapter on use of the <span class="guibutton">Start</span> button. - </p><div class="sect3" title="MS Windows XP Professional"><div class="titlepage"><div><div><h4 class="title"><a name="id346148"></a>MS Windows XP Professional</h4></div></div></div><p> -<a class="indexterm" name="id346156"></a> - There are two paths to the Windows XP TCP/IP configuration panel. Choose the access method that you prefer: - </p><p> - Click <span class="guimenu">Start -> Control Panel -> Network Connections</span>. - </p><p> - <span class="emphasis"><em>Alternately,</em></span> click <span class="guimenu">Start -></span>, and right-click <span class="guimenu">My Network Places</span> - then select <span class="guimenuitem">Properties</span>. - </p><p> -<a class="indexterm" name="id346202"></a> - The following procedure steps through the Windows XP Professional TCP/IP configuration process: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> -<a class="indexterm" name="id346218"></a> -<a class="indexterm" name="id346225"></a> -<a class="indexterm" name="id346232"></a> - On some installations the interface will be called <span class="guimenu">Local Area Connection</span> and - on others it will be called <span class="guimenu">Network Bridge</span>. On our system it is called <span class="guimenu">Network Bridge</span>. - Right-click on <span class="guimenu">Network Bridge -> Properties</span>. See <a class="link" href="ClientConfig.html#WXPP002" title="Figure 8.1. Network Bridge Configuration.">“Network Bridge Configuration.”</a>. - </p><div class="figure"><a name="WXPP002"></a><p class="title"><b>Figure 8.1. Network Bridge Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP002.png" alt="Network Bridge Configuration."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id346315"></a> -<a class="indexterm" name="id346322"></a> - The Network Bridge Configuration, or Local Area Connection, panel is used to set TCP/IP protocol settings. - In <span class="guimenuitem">This connection uses the following items:</span> box, - click on <span class="guimenu">Internet Protocol (TCP/IP)</span>, then click on <span class="guibutton">Properties</span>. - </p><p> -<a class="indexterm" name="id346352"></a> -<a class="indexterm" name="id346358"></a> - The default setting is DHCP-enabled operation - (i.e., <span class="quote">“<span class="quote">Obtain an IP address automatically</span>”</span>). See <a class="link" href="ClientConfig.html#WXPP003" title="Figure 8.2. Internet Protocol (TCP/IP) Properties.">“Internet Protocol (TCP/IP) Properties.”</a>. - </p><div class="figure"><a name="WXPP003"></a><p class="title"><b>Figure 8.2. Internet Protocol (TCP/IP) Properties.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP003.png" alt="Internet Protocol (TCP/IP) Properties."></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id346420"></a> -<a class="indexterm" name="id346426"></a> -<a class="indexterm" name="id346433"></a> -<a class="indexterm" name="id346440"></a> - Many network administrators will want to use DHCP to configure all client TCP/IP - protocol stack settings. (For information on how to configure the ISC DHCP server - for Windows client support see <a class="link" href="DNSDHCP.html#DHCP" title="DHCP Server">the DNS and DHCP Configuration Guide</a>, - <a class="link" href="DNSDHCP.html#DHCP" title="DHCP Server">DHCP Server</a>). - </p><p> -<a class="indexterm" name="id346466"></a> -<a class="indexterm" name="id346473"></a> -<a class="indexterm" name="id346480"></a> - If it is necessary to provide a fixed IP address, click on <span class="quote">“<span class="quote">Use the following IP address</span>”</span> and enter the - IP Address, the subnet mask, and the default gateway address in the boxes provided. - </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id346499"></a> -<a class="indexterm" name="id346506"></a> -<a class="indexterm" name="id346512"></a> -<a class="indexterm" name="id346519"></a> - Click the <span class="guibutton">Advanced</span> button to proceed with TCP/IP configuration. - This opens a panel in which it is possible to create additional IP addresses for this interface. - The technical name for the additional addresses is <span class="emphasis"><em>IP aliases</em></span>, and additionally this - panel permits the setting of more default gateways (routers). In most cases where DHCP is used, it will not be - necessary to create additional settings. See <a class="link" href="ClientConfig.html#WXPP005" title="Figure 8.3. Advanced Network Settings">“Advanced Network Settings”</a> to see the appearance of this panel. - </p><div class="figure"><a name="WXPP005"></a><p class="title"><b>Figure 8.3. Advanced Network Settings</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP005.png" alt="Advanced Network Settings"></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id346586"></a> -<a class="indexterm" name="id346592"></a> -<a class="indexterm" name="id346599"></a> - Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP. - </p></li><li class="step" title="Step 4"><p> -<a class="indexterm" name="id346614"></a> -<a class="indexterm" name="id346620"></a> - Click the <span class="guimenu">DNS</span> tab to add DNS server settings. - The example system uses manually configured DNS settings. When finished making changes, click the - <span class="guibutton">OK</span> to commit the settings. See <a class="link" href="ClientConfig.html#WXPP014" title="Figure 8.4. DNS Configuration.">“DNS Configuration.”</a>. - </p><div class="figure"><a name="WXPP014"></a><p class="title"><b>Figure 8.4. DNS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP014.png" alt="DNS Configuration."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 5"><p> -<a class="indexterm" name="id346693"></a> -<a class="indexterm" name="id346699"></a> - Click the <span class="guibutton">WINS</span> tab to add manual WINS server entries. - This step demonstrates an example system that uses manually configured WINS settings. - When finished making changes, click <span class="guibutton">OK</span> to commit - the settings. See <a class="link" href="ClientConfig.html#WXPP009" title="Figure 8.5. WINS Configuration">“WINS Configuration”</a>. - </p><div class="figure"><a name="WXPP009"></a><p class="title"><b>Figure 8.5. WINS Configuration</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WXPP009.png" alt="WINS Configuration"></div></div></div><p><br class="figure-break"> - </p></li></ol></div></div><div class="sect3" title="MS Windows 2000"><div class="titlepage"><div><div><h4 class="title"><a name="id346766"></a>MS Windows 2000</h4></div></div></div><p> -<a class="indexterm" name="id346774"></a> -<a class="indexterm" name="id346780"></a> - There are two paths to the Windows 2000 Professional TCP/IP configuration panel. Choose the access method that you prefer: - </p><p> - Click <span class="guimenu">Start -> Control Panel -> Network and Dial-up Connections</span>. - </p><p> - <span class="emphasis"><em>Alternatively,</em></span> click <span class="guimenu">Start</span>, then right-click <span class="guimenu">My Network Places</span>, and - select <span class="guimenuitem">Properties</span>. - </p><p> -<a class="indexterm" name="id346827"></a> - The following procedure steps through the Windows XP Professional TCP/IP configuration process: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Right-click on <span class="guimenu">Local Area Connection</span>, then click - <span class="guimenuitem">Properties</span>. See <a class="link" href="ClientConfig.html#w2kp001" title="Figure 8.6. Local Area Connection Properties.">“Local Area Connection Properties.”</a>. - </p><div class="figure"><a name="w2kp001"></a><p class="title"><b>Figure 8.6. Local Area Connection Properties.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp001.png" alt="Local Area Connection Properties."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id346905"></a> -<a class="indexterm" name="id346912"></a> - The Local Area Connection Properties is used to set TCP/IP protocol settings. Click on - <span class="guimenu">Internet Protocol (TCP/IP)</span> in the <span class="guimenuitem">Components checked are used by this - connection:</span> box, then click the <span class="guibutton">Properties</span> button. - </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id346945"></a> -<a class="indexterm" name="id346952"></a> - The default setting is DHCP-enabled operation - (i.e., <span class="quote">“<span class="quote">Obtain an IP address automatically</span>”</span>). See <a class="link" href="ClientConfig.html#w2kp002" title="Figure 8.7. Internet Protocol (TCP/IP) Properties.">“Internet Protocol (TCP/IP) Properties.”</a>. - </p><div class="figure"><a name="w2kp002"></a><p class="title"><b>Figure 8.7. Internet Protocol (TCP/IP) Properties.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp002.png" alt="Internet Protocol (TCP/IP) Properties."></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id347009"></a> -<a class="indexterm" name="id347016"></a> - Many network administrators will want to use DHCP to configure all client TCP/IP - protocol stack settings. (For information on how to configure the ISC DHCP server - for Windows client support, see, <a class="link" href="DNSDHCP.html#DHCP" title="DHCP Server">“DHCP Server”</a>). - </p><p> -<a class="indexterm" name="id347033"></a> -<a class="indexterm" name="id347040"></a> - If it is necessary to provide a fixed IP address, click on <span class="quote">“<span class="quote">Use the following IP address</span>”</span> and enter the - IP Address, the subnet mask, and the default gateway address in the boxes provided. - For this example we are assuming that all network clients will be configured using DHCP. - </p></li><li class="step" title="Step 4"><p> - Click the <span class="guimenu">Advanced</span> button to proceed with TCP/IP configuration. - Refer to <a class="link" href="ClientConfig.html#w2kp003" title="Figure 8.8. Advanced Network Settings.">“Advanced Network Settings.”</a>. - </p><div class="figure"><a name="w2kp003"></a><p class="title"><b>Figure 8.8. Advanced Network Settings.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp003.png" alt="Advanced Network Settings."></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id347113"></a> -<a class="indexterm" name="id347119"></a> -<a class="indexterm" name="id347126"></a> - Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP. - </p></li><li class="step" title="Step 5"><p> -<a class="indexterm" name="id347140"></a> -<a class="indexterm" name="id347147"></a> - Click the <span class="guimenu">DNS</span> tab to add DNS server settings. - The example system uses manually configured DNS settings. When finished making changes, - click <span class="guibutton">OK</span> to commit the settings. See <a class="link" href="ClientConfig.html#w2kp004" title="Figure 8.9. DNS Configuration.">“DNS Configuration.”</a>. - </p><div class="figure"><a name="w2kp004"></a><p class="title"><b>Figure 8.9. DNS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp004.png" alt="DNS Configuration."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 6"><p> -<a class="indexterm" name="id347216"></a> -<a class="indexterm" name="id347223"></a> - Click the <span class="guibutton">WINS</span> tab to add manual WINS server entries. - This step demonstrates an example system that uses manually configured WINS settings. - When finished making changes, click <span class="guibutton">OK</span> to commit the settings. - See <a class="link" href="ClientConfig.html#w2kp005" title="Figure 8.10. WINS Configuration.">“WINS Configuration.”</a>. - </p><div class="figure"><a name="w2kp005"></a><p class="title"><b>Figure 8.10. WINS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/w2kp005.png" alt="WINS Configuration."></div></div></div><p><br class="figure-break"> - </p></li></ol></div></div><div class="sect3" title="MS Windows Me"><div class="titlepage"><div><div><h4 class="title"><a name="id347292"></a>MS Windows Me</h4></div></div></div><p> -<a class="indexterm" name="id347299"></a> -<a class="indexterm" name="id347306"></a> -<a class="indexterm" name="id347313"></a> - There are two paths to the Windows Millennium edition (Me) TCP/IP configuration panel. Choose the access method that you prefer: - </p><p> - Click <span class="guimenu">Start -> Control Panel -> Network Connections</span>. - </p><p> -<a class="indexterm" name="id347334"></a> -<a class="indexterm" name="id347341"></a> - <span class="emphasis"><em>Alternatively,</em></span> click on <span class="guimenu">Start -></span>, and right click on <span class="guimenu">My Network Places</span> - then select <span class="guimenuitem">Properties</span>. - </p><p> -<a class="indexterm" name="id347373"></a> - The following procedure steps through the Windows Me TCP/IP configuration process: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> -<a class="indexterm" name="id347389"></a> - In the box labeled <span class="guimenuitem">The following network components are installed:</span>, - click on <span class="guimenu">Internet Protocol TCP/IP</span>, then click on the <span class="guibutton">Properties</span> button. - See <a class="link" href="ClientConfig.html#WME001" title="Figure 8.11. The Windows Me Network Configuration Panel.">“The Windows Me Network Configuration Panel.”</a>. - </p><div class="figure"><a name="WME001"></a><p class="title"><b>Figure 8.11. The Windows Me Network Configuration Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME001.png" alt="The Windows Me Network Configuration Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id347468"></a> -<a class="indexterm" name="id347475"></a> -<a class="indexterm" name="id347481"></a> - Many network administrators will want to use DHCP to configure all client TCP/IP - protocol stack settings. (For information on how to configure the ISC DHCP server - for Windows client support see <a class="link" href="DNSDHCP.html#DHCP" title="DHCP Server">the DNS and DHCP Configuration Guide</a>, - <a class="link" href="DNSDHCP.html#DHCP" title="DHCP Server">DHCP Server</a>). The default setting on Windows Me workstations is for DHCP-enabled operation - (i.e., <span class="guimenu">Obtain IP address automatically</span> is enabled). See <a class="link" href="ClientConfig.html#WME002" title="Figure 8.12. IP Address.">“IP Address.”</a>. - </p><div class="figure"><a name="WME002"></a><p class="title"><b>Figure 8.12. IP Address.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME002.png" alt="IP Address."></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id347558"></a> -<a class="indexterm" name="id347565"></a> -<a class="indexterm" name="id347572"></a> - If it is necessary to provide a fixed IP address, click on <span class="guimenuitem">Specify an IP address</span> and enter the - IP Address and the subnet mask in the boxes provided. For this example we are assuming that all - network clients will be configured using DHCP. - </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id347593"></a> -<a class="indexterm" name="id347600"></a> - Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP. - </p></li><li class="step" title="Step 4"><p> -<a class="indexterm" name="id347614"></a> - If necessary, click the <span class="guimenu">DNS Configuration</span> tab to add DNS server settings. - Click the <span class="guibutton">WINS Configuration</span> tab to add WINS server settings. - The <span class="guimenu">Gateway</span> tab allows additional gateways (router addresses) to be added to the network - interface settings. In most cases where DHCP is used, it will not be necessary to - create these manual settings. - </p></li><li class="step" title="Step 5"><p> -<a class="indexterm" name="id347648"></a> -<a class="indexterm" name="id347654"></a> - The following example uses manually configured WINS settings. See <a class="link" href="ClientConfig.html#WME005" title="Figure 8.13. DNS Configuration.">“DNS Configuration.”</a>. - When finished making changes, click <span class="guibutton">OK</span> to commit the settings. - </p><div class="figure"><a name="WME005"></a><p class="title"><b>Figure 8.13. DNS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME005.png" alt="DNS Configuration."></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id347714"></a> -<a class="indexterm" name="id347721"></a> - This is an example of a system that uses manually configured WINS settings. One situation where - this might apply is on a network that has a single DHCP server that provides settings for multiple - Windows workgroups or domains. See <a class="link" href="ClientConfig.html#WME003" title="Figure 8.14. WINS Configuration.">“WINS Configuration.”</a>. - </p><div class="figure"><a name="WME003"></a><p class="title"><b>Figure 8.14. WINS Configuration.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME003.png" alt="WINS Configuration."></div></div></div><p><br class="figure-break"> - </p></li></ol></div></div></div><div class="sect2" title="Joining a Domain: Windows 2000/XP Professional"><div class="titlepage"><div><div><h3 class="title"><a name="id347777"></a>Joining a Domain: Windows 2000/XP Professional</h3></div></div></div><p> -<a class="indexterm" name="id347785"></a> -<a class="indexterm" name="id347792"></a> -<a class="indexterm" name="id347799"></a> -<a class="indexterm" name="id347806"></a> - Microsoft Windows NT/200x/XP Professional platforms can participate in domain security. - This section steps through the process for making a Windows 200x/XP Professional machine a - member of a domain security environment. It should be noted that this process is identical - when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Click <span class="guimenu">Start</span>. - </p></li><li class="step" title="Step 2"><p> - Right-click <span class="guimenu">My Computer</span>, then select <span class="guimenuitem">Properties</span>. - </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id347856"></a> - The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. - See <a class="link" href="ClientConfig.html#wxpp001" title="Figure 8.15. The General Panel.">“The General Panel.”</a>. - </p><div class="figure"><a name="wxpp001"></a><p class="title"><b>Figure 8.15. The General Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 4"><p> -<a class="indexterm" name="id347920"></a> - Click the <span class="guimenu">Computer Name</span> tab. - This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, - and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. - </p><p> -<a class="indexterm" name="id347960"></a> -<a class="indexterm" name="id347967"></a> - Clicking the <span class="guimenu">Network ID</span> button will launch the configuration wizard. Do not use this with - Samba-3. If you wish to change the computer name or join or leave the domain, click the <span class="guimenu">Change</span> button. - See <a class="link" href="ClientConfig.html#wxpp004" title="Figure 8.16. The Computer Name Panel.">“The Computer Name Panel.”</a>. - </p><div class="figure"><a name="wxpp004"></a><p class="title"><b>Figure 8.16. The Computer Name Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 5"><p> - Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. - We will join the domain called MIDEARTH. See <a class="link" href="ClientConfig.html#wxpp006" title="Figure 8.17. The Computer Name Changes Panel.">“The Computer Name Changes Panel.”</a>. - </p><div class="figure"><a name="wxpp006"></a><p class="title"><b>Figure 8.17. The Computer Name Changes Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 6"><p> -<a class="indexterm" name="id348095"></a> - Enter the name <span class="guimenu">MIDEARTH</span> in the field below the domain radio button. - </p><p> - This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a class="link" href="ClientConfig.html#wxpp007" title="Figure 8.18. The Computer Name Changes Panel Domain MIDEARTH.">“The Computer Name Changes Panel Domain MIDEARTH.”</a>. - </p><div class="figure"><a name="wxpp007"></a><p class="title"><b>Figure 8.18. The Computer Name Changes Panel Domain MIDEARTH.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 7"><p> -<a class="indexterm" name="id348165"></a> -<a class="indexterm" name="id348172"></a> - Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the - credentials (username and password) of a domain administrative account that has the rights to add machines to - the domain. - </p><p> -<a class="indexterm" name="id348189"></a> - Enter the name <span class="quote">“<span class="quote">root</span>”</span> and the root password from your Samba-3 server. See <a class="link" href="ClientConfig.html#wxpp008" title="Figure 8.19. Computer Name Changes Username and Password Panel.">“Computer Name Changes Username and Password Panel.”</a>. - </p><div class="figure"><a name="wxpp008"></a><p class="title"><b>Figure 8.19. Computer Name Changes Username and Password Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes Username and Password Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 8"><p> - Click on <span class="guimenu">OK</span>. - </p><p> -<a class="indexterm" name="id348264"></a> -<a class="indexterm" name="id348271"></a> - The <span class="quote">“<span class="quote">Welcome to the MIDEARTH domain.</span>”</span> dialog box should appear. At this point the machine must be rebooted. - Joining the domain is now complete. - </p></li></ol></div></div><div class="sect2" title="Domain Logon Configuration: Windows 9x/Me"><div class="titlepage"><div><div><h3 class="title"><a name="id348286"></a>Domain Logon Configuration: Windows 9x/Me</h3></div></div></div><p> -<a class="indexterm" name="id348294"></a> -<a class="indexterm" name="id348300"></a> -<a class="indexterm" name="id348307"></a> - We follow the convention used by most in saying that Windows 9x/Me machines can participate in domain logons. The truth is - that these platforms can use only the LanManager network logon protocols. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id348320"></a> -<a class="indexterm" name="id348327"></a> -<a class="indexterm" name="id348334"></a> - Windows XP Home edition cannot participate in domain or LanManager network logons. - </p></div><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Right-click on the <span class="guimenu">Network Neighborhood</span> icon. - </p></li><li class="step" title="Step 2"><p> - The Network Configuration Panel allows all common network settings to be changed. - See <a class="link" href="ClientConfig.html#WME009" title="Figure 8.20. The Network Panel.">“The Network Panel.”</a>. - </p><div class="figure"><a name="WME009"></a><p class="title"><b>Figure 8.20. The Network Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME009.png" alt="The Network Panel."></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id348410"></a> -<a class="indexterm" name="id348417"></a> - Make sure that the <span class="guimenu">Client for Microsoft Networks</span> driver is installed as shown. - Click on the <span class="guimenu">Client for Microsoft Networks</span> entry in <span class="guimenu">The following network - components are installed:</span> box. Then click the <span class="guibutton">Properties</span> button. - </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id348455"></a> -<a class="indexterm" name="id348462"></a> - The Client for Microsoft Networks Properties panel is the correct location to configure network logon - settings. See <a class="link" href="ClientConfig.html#WME010" title="Figure 8.21. Client for Microsoft Networks Properties Panel.">“Client for Microsoft Networks Properties Panel.”</a>. - </p><div class="figure"><a name="WME010"></a><p class="title"><b>Figure 8.21. Client for Microsoft Networks Properties Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME010.png" alt="Client for Microsoft Networks Properties Panel."></div></div></div><p><br class="figure-break"> - </p><p> -<a class="indexterm" name="id348517"></a> -<a class="indexterm" name="id348523"></a> - Enter the Windows NT domain name, check the <span class="guimenu">Log on to Windows NT domain</span> box, - and click <span class="guimenu">OK</span>. - </p></li><li class="step" title="Step 4"><p> -<a class="indexterm" name="id348549"></a> -<a class="indexterm" name="id348556"></a> -<a class="indexterm" name="id348563"></a> - Click on the <span class="guimenu">Identification</span> button. This is the location at which the workgroup - (domain) name and the machine name (computer name) need to be set. See <a class="link" href="ClientConfig.html#WME013" title="Figure 8.22. Identification Panel.">“Identification Panel.”</a>. - </p><div class="figure"><a name="WME013"></a><p class="title"><b>Figure 8.22. Identification Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME013.png" alt="Identification Panel."></div></div></div><p><br class="figure-break"> - </p></li><li class="step" title="Step 5"><p> -<a class="indexterm" name="id348626"></a> -<a class="indexterm" name="id348633"></a> -<a class="indexterm" name="id348640"></a> -<a class="indexterm" name="id348646"></a> - Now click the <span class="guimenu">Access Control</span> button. If you want to be able to assign share access - permissions using domain user and group accounts, it is necessary to enable - <span class="guimenu">User-level access control</span> as shown in this panel. See <a class="link" href="ClientConfig.html#WME014" title="Figure 8.23. Access Control Panel.">“Access Control Panel.”</a>. - </p><div class="figure"><a name="WME014"></a><p class="title"><b>Figure 8.23. Access Control Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WME014.png" alt="Access Control Panel."></div></div></div><p><br class="figure-break"> - </p></li></ol></div></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id348714"></a>Common Errors</h2></div></div></div><p> -<a class="indexterm" name="id348721"></a> -<a class="indexterm" name="id348728"></a> -The most common errors that can afflict Windows networking systems include: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Incorrect IP address.</p></li><li class="listitem"><p>Incorrect or inconsistent netmasks.</p></li><li class="listitem"><p>Incorrect router address.</p></li><li class="listitem"><p>Incorrect DNS server address.</p></li><li class="listitem"><p>Incorrect WINS server address.</p></li><li class="listitem"><p>Use of a Network Scope setting watch out for this one!</p></li></ul></div><p> -<a class="indexterm" name="id348774"></a> -<a class="indexterm" name="id348780"></a> -The most common reasons for which a Windows NT/200x/XP Professional client cannot join the Samba controlled domain are: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><code class="filename">smb.conf</code> does not have correct <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> settings.</p></li><li class="listitem"><p><span class="quote">“<span class="quote">root</span>”</span> account is not in password backend database.</p></li><li class="listitem"><p>Attempt to use a user account instead of the <span class="quote">“<span class="quote">root</span>”</span> account to join a machine to the domain.</p></li><li class="listitem"><p>Open connections from the workstation to the server.</p></li><li class="listitem"><p>Firewall or filter configurations in place on either the client or the Samba server.</p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Standalone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html b/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html deleted file mode 100644 index 9f45721e47..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html +++ /dev/null @@ -1,265 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 48. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="ch47.html" title="Chapter 47. Samba Support"><link rel="next" href="apa.html" title="Appendix A. GNU General Public License version 3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 48. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch47.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 48. DNS and DHCP Configuration Guide"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 48. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DNSDHCP.html#id454166">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="DNSDHCP.html#id454326">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="DNSDHCP.html#id454402">Dynamic DNS</a></span></dt><dt><span class="sect2"><a href="DNSDHCP.html#DHCP">DHCP Server</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id454166"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id454174"></a> -<a class="indexterm" name="id454183"></a> -There are few subjects in the UNIX world that might raise as much contention as -Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP). -Not all opinions held for or against particular implementations of DNS and DHCP -are valid. -</p><p> -We live in a modern age where many information technology users demand mobility -and freedom. Microsoft Windows users in particular expect to be able to plug their -notebook computer into a network port and have things <span class="quote">“<span class="quote">just work.</span>”</span> -</p><p> -<a class="indexterm" name="id454206"></a> -UNIX administrators have a point. Many of the normative practices in the Microsoft -Windows world at best border on bad practice from a security perspective. -Microsoft Windows networking protocols allow workstations to arbitrarily register -themselves on a network. Windows 2000 Active Directory registers entries in the DNS namespace -that are equally perplexing to UNIX administrators. Welcome to the new world! -</p><p> -<a class="indexterm" name="id454219"></a> -<a class="indexterm" name="id454228"></a> -<a class="indexterm" name="id454237"></a> -The purpose of this chapter is to demonstrate the configuration of the Internet -Software Consortium (ISC) DNS and DHCP servers to provide dynamic services that are -compatible with their equivalents in the Microsoft Windows 2000 Server products. -</p><p> -This chapter provides no more than a working example of configuration files for both DNS and DHCP servers. The -examples used match configuration examples used elsewhere in this document. -</p><p> -<a class="indexterm" name="id454257"></a> -<a class="indexterm" name="id454263"></a> -<a class="indexterm" name="id454270"></a> -This chapter explicitly does not provide a tutorial, nor does it pretend to be a reference guide on DNS and -DHCP, as this is well beyond the scope and intent of this document as a whole. Anyone who wants more detailed -reference materials on DNS or DHCP should visit the ISC Web site at <a class="ulink" href="http://www.isc.org" target="_top"> http://www.isc.org</a>. Those wanting a written text might also be interested -in the O'Reilly publications on DNS, see the <a class="ulink" href="http://www.oreilly.com/catalog/dns/index.htm" target="_top">O'Reilly</a> web site, and the <a class="ulink" href="http://www.bind9.net/books-dhcp" target="_top">BIND9.NET</a> web site for details. -The books are: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>DNS and BIND, By Cricket Liu, Paul Albitz, ISBN: 1-56592-010-4</p></li><li class="listitem"><p>DNS & Bind Cookbook, By Cricket Liu, ISBN: 0-596-00410-9</p></li><li class="listitem"><p>The DHCP Handbook (2nd Edition), By: Ralph Droms, Ted Lemon, ISBN 0-672-32327-3</p></li></ol></div></div><div class="sect1" title="Example Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id454326"></a>Example Configuration</h2></div></div></div><p> -<a class="indexterm" name="id454334"></a> -<a class="indexterm" name="id454340"></a> -The DNS is to the Internet what water is to life. Nearly all information resources (host names) are resolved -to their Internet protocol (IP) addresses through DNS. Windows networking tried hard to avoid the -complexities of DNS, but alas, DNS won. <a class="indexterm" name="id454349"></a> The alternative to -DNS, the Windows Internet Name Service (WINS) an artifact of NetBIOS networking over the TCP/IP -protocols has demonstrated scalability problems as well as a flat, nonhierarchical namespace that -became unmanageable as the size and complexity of information technology networks grew. -</p><p> -<a class="indexterm" name="id454368"></a> -<a class="indexterm" name="id454374"></a> -WINS is a Microsoft implementation of the RFC1001/1002 NetBIOS Name Service (NBNS). -It allows NetBIOS clients (like Microsoft Windows machines) to register an arbitrary -machine name that the administrator or user has chosen together with the IP -address that the machine has been given. Through the use of WINS, network client machines -could resolve machine names to their IP address. -</p><p> -The demand for an alternative to the limitations of NetBIOS networking finally drove -Microsoft to use DNS and Active Directory. Microsoft's new implementation attempts -to use DNS in a manner similar to the way that WINS is used for NetBIOS networking. -Both WINS and Microsoft DNS rely on dynamic name registration. -</p><p> -Microsoft Windows clients can perform dynamic name registration to the DNS server -on startup. Alternatively, where DHCP is used to assign workstation IP addresses, -it is possible to register hostnames and their IP address by the DHCP server as -soon as a client acknowledges an IP address lease. Finally, Microsoft DNS can resolve -hostnames via Microsoft WINS. -</p><p> -The following configurations demonstrate a simple, insecure dynamic DNS server and -a simple DHCP server that matches the DNS configuration. -</p><div class="sect2" title="Dynamic DNS"><div class="titlepage"><div><div><h3 class="title"><a name="id454402"></a>Dynamic DNS</h3></div></div></div><p> - <a class="indexterm" name="id454410"></a> - The example DNS configuration is for a private network in the IP address - space for network 192.168.1.0/24. The private class network address space - is set forth in RFC1918. - </p><p> - <a class="indexterm" name="id454423"></a> - It is assumed that this network will be situated behind a secure firewall. - The files that follow work with ISC BIND version 9. BIND is the Berkeley - Internet Name Daemon. - </p><p> - The master configuration file <code class="filename">/etc/named.conf</code> - determines the location of all further configuration files used. - The location and name of this file is specified in the startup script - that is part of the operating system. -</p><pre class="programlisting"> -# Quenya.Org configuration file - -acl mynet { - 192.168.1.0/24; - 127.0.0.1; -}; - -options { - - directory "/var/named"; - listen-on-v6 { any; }; - notify no; - forward first; - forwarders { - 192.168.1.1; - }; - auth-nxdomain yes; - multiple-cnames yes; - listen-on { - mynet; - }; -}; - -# The following three zone definitions do not need any modification. -# The first one defines localhost while the second defines the -# reverse lookup for localhost. The last zone "." is the -# definition of the root name servers. - -zone "localhost" in { - type master; - file "localhost.zone"; -}; - -zone "0.0.127.in-addr.arpa" in { - type master; - file "127.0.0.zone"; -}; - -zone "." in { - type hint; - file "root.hint"; -}; - -# You can insert further zone records for your own domains below. - -zone "quenya.org" { - type master; - file "/var/named/quenya.org.hosts"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; - }; - -zone "1.168.192.in-addr.arpa" { - type master; - file "/var/named/192.168.1.0.rev"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; -}; -</pre><p> - </p><p> - The following files are all located in the directory <code class="filename">/var/named</code>. - This is the <code class="filename">/var/named/localhost.zone</code> file: -</p><pre class="programlisting"> -$TTL 1W -@ IN SOA @ root ( - 42 ; serial (d. adams) - 2D ; refresh - 4H ; retry - 6W ; expiry - 1W ) ; minimum - - IN NS @ - IN A 127.0.0.1 - </pre><p> - </p><p> - The <code class="filename">/var/named/127.0.0.zone</code> file: -</p><pre class="programlisting"> -$TTL 1W -@ IN SOA localhost. root.localhost. ( - 42 ; serial (d. adams) - 2D ; refresh - 4H ; retry - 6W ; expiry - 1W ) ; minimum - - IN NS localhost. -1 IN PTR localhost. -</pre><p> - </p><p> - The <code class="filename">/var/named/quenya.org.host</code> file: -</p><pre class="programlisting"> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -quenya.org IN SOA marvel.quenya.org. root.quenya.org. ( - 2003021832 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS marvel.quenya.org. - MX 10 mail.quenya.org. -$ORIGIN quenya.org. -frodo A 192.168.1.1 -marvel A 192.168.1.2 -; -mail CNAME marvel -www CNAME marvel -</pre><p> -</p><p> - The <code class="filename">/var/named/192.168.1.0.rev</code> file: -</p><pre class="programlisting"> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -1.168.192.in-addr.arpa IN SOA marvel.quenya.org. root.quenya.org. ( - 2003021824 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS marvel.quenya.org. -$ORIGIN 1.168.192.in-addr.arpa. -1 PTR frodo.quenya.org. -2 PTR marvel.quenya.org. -</pre><p> - </p><p> -<a class="indexterm" name="id454550"></a> -<a class="indexterm" name="id454557"></a> - The configuration files shown here were copied from a fully working system. All dynamically registered - entries have been removed. In addition to these files, BIND version 9 will - create for each of the dynamic registration files a file that has a - <code class="filename">.jnl</code> extension. Do not edit or tamper with the configuration - files or with the <code class="filename">.jnl</code> files that are created. - </p></div><div class="sect2" title="DHCP Server"><div class="titlepage"><div><div><h3 class="title"><a name="DHCP"></a>DHCP Server</h3></div></div></div><p> - The following file is used with the ISC DHCP Server version 3. - The file is located in <code class="filename">/etc/dhcpd.conf</code>: - </p><p> - </p><pre class="programlisting"> -ddns-updates on; -ddns-domainname "quenya.org"; -option ntp-servers 192.168.1.2; -ddns-update-style ad-hoc; -allow unknown-clients; -default-lease-time 86400; -max-lease-time 172800; - -option domain-name "quenya.org"; -option domain-name-servers 192.168.1.2; -option netbios-name-servers 192.168.1.2; -option netbios-dd-server 192.168.1.2; -option netbios-node-type 8; - -subnet 192.168.1.0 netmask 255.255.255.0 { - range dynamic-bootp 192.168.1.60 192.168.1.254; - option subnet-mask 255.255.255.0; - option routers 192.168.1.2; - allow unknown-clients; -} -</pre><p> - </p><p> - In this example, IP addresses between 192.168.1.1 and 192.168.1.59 are - reserved for fixed-address (commonly called <code class="constant">hard-wired</code>) IP addresses. The - addresses between 192.168.1.60 and 192.168.1.254 are allocated for dynamic use. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch47.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 47. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A. - <acronym class="acronym">GNU</acronym> General Public License version 3 - </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/FastStart.html b/docs/htmldocs/Samba3-HOWTO/FastStart.html deleted file mode 100644 index 0ba0ad9a89..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/FastStart.html +++ /dev/null @@ -1,698 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Fast Start: Cure for Impatience</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="prev" href="install.html" title="Chapter 1. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Fast Start: Cure for Impatience</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 2. Fast Start: Cure for Impatience"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 2. Fast Start: Cure for Impatience</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="FastStart.html#id326280">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id326298">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id326355">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id326370">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id328002">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id328803">Domain Controller</a></span></dt></dl></dd></dl></div><p> -When we first asked for suggestions for inclusion in the Samba HOWTO documentation, -someone wrote asking for example configurations and lots of them. That is remarkably -difficult to do without losing a lot of value that can be derived from presenting -many extracts from working systems. That is what the rest of this document does. -It does so with extensive descriptions of the configuration possibilities within the -context of the chapter that covers it. We hope that this chapter is the medicine -that has been requested. -</p><p> -The information in this chapter is very sparse compared with the book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span> -that was written after the original version of this book was nearly complete. <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span> -was the result of feedback from reviewers during the final copy editing of the first edition. It -was interesting to see that reader feedback mirrored that given by the original reviewers. -In any case, a month and a half was spent in doing basic research to better understand what -new as well as experienced network administrators would best benefit from. The book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span> -is the result of that research. What is presented in the few pages of this book is covered -far more comprehensively in the second edition of <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span>. The second edition -of both books will be released at the same time. -</p><p> -So in summary, the book <span class="quote">“<span class="quote">The Official Samba-3 HOWTO & Reference Guide</span>”</span> is intended -as the equivalent of an auto mechanic's repair guide. The book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span> is the -equivalent of the driver's guide that explains how to drive the car. If you want complete network -configuration examples, go to <a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by -Example</a>. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id326280"></a>Features and Benefits</h2></div></div></div><p> -Samba needs very little configuration to create a basic working system. -In this chapter we progress from the simple to the complex, for each providing -all steps and configuration file changes needed to make each work. Please note -that a comprehensively configured system will likely employ additional smart -features. These additional features are covered in the remainder of this document. -</p><p> -The examples used here have been obtained from a number of people who made -requests for example configurations. All identities have been obscured to protect -the guilty, and any resemblance to unreal nonexistent sites is deliberate. -</p></div><div class="sect1" title="Description of Example Sites"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id326298"></a>Description of Example Sites</h2></div></div></div><p> -In the first set of configuration examples we consider the case of exceptionally simple system requirements. -There is a real temptation to make something that should require little effort much too complex. -</p><p> -<a class="link" href="FastStart.html#anon-ro" title="Anonymous Read-Only Document Server">“Anonymous Read-Only Document Server”</a> documents the type of server that might be sufficient to serve CD-ROM images, -or reference document files for network client use. This configuration is also discussed in <a class="link" href="StandAloneServer.html" title="Chapter 7. Standalone Servers">“Standalone Servers”</a>, <a class="link" href="StandAloneServer.html#RefDocServer" title="Reference Documentation Server">“Reference Documentation Server”</a>. The purpose for this configuration -is to provide a shared volume that is read-only that anyone, even guests, can access. -</p><p> -The second example shows a minimal configuration for a print server that anyone can print to as long as they -have the correct printer drivers installed on their computer. This is a mirror of the system described in -<a class="link" href="StandAloneServer.html" title="Chapter 7. Standalone Servers">“Standalone Servers”</a>, <a class="link" href="StandAloneServer.html#SimplePrintServer" title="Central Print Serving">“Central Print Serving”</a>. -</p><p> -The next example is of a secure office file and print server that will be accessible only to users who have an -account on the system. This server is meant to closely resemble a workgroup file and print server, but has to -be more secure than an anonymous access machine. This type of system will typically suit the needs of a small -office. The server provides no network logon facilities, offers no domain control; instead it is just a -network-attached storage (NAS) device and a print server. -</p><p> -The later example consider more complex systems that will either integrate into existing MS Windows networks -or replace them entirely. These cover domain member servers as well as Samba domain control (PDC/BDC) and -finally describes in detail a large distributed network with branch offices in remote locations. -</p></div><div class="sect1" title="Worked Examples"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id326355"></a>Worked Examples</h2></div></div></div><p> -The configuration examples are designed to cover everything necessary to get Samba -running. They do not cover basic operating system platform configuration, which is -clearly beyond the scope of this text. -</p><p> -It is also assumed that Samba has been correctly installed, either by way of installation -of the packages that are provided by the operating system vendor or through other means. -</p><div class="sect2" title="Standalone Server"><div class="titlepage"><div><div><h3 class="title"><a name="id326370"></a>Standalone Server</h3></div></div></div><p> - <a class="indexterm" name="id326377"></a> - A standalone server implies no more than the fact that it is not a domain controller - and it does not participate in domain control. It can be a simple, workgroup-like - server, or it can be a complex server that is a member of a domain security context. - </p><p> - As the examples are developed, every attempt is made to progress the system toward greater capability, just as - one might expect would happen in a real business office as that office grows in size and its needs change. - </p><div class="sect3" title="Anonymous Read-Only Document Server"><div class="titlepage"><div><div><h4 class="title"><a name="anon-ro"></a>Anonymous Read-Only Document Server</h4></div></div></div><p> - <a class="indexterm" name="id326404"></a> - The purpose of this type of server is to make available to any user - any documents or files that are placed on the shared resource. The - shared resource could be a CD-ROM drive, a CD-ROM image, or a file - storage area. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - The file system share point will be <code class="filename">/export</code>. - </p></li><li class="listitem"><p> - All files will be owned by a user called Jack Baumbach. - Jack's login name will be <span class="emphasis"><em>jackb</em></span>. His password will be - <span class="emphasis"><em>m0r3pa1n</em></span> of course, that's just the example we are - using; do not use this in a production environment because - all readers of this document will know it. - </p></li></ul></div><div class="procedure" title="Procedure 2.1. Installation Procedure: Read-Only Server"><a name="id326444"></a><p class="title"><b>Procedure 2.1. Installation Procedure: Read-Only Server</b></p><div class="example"><a name="anon-example"></a><p class="title"><b>Example 2.1. Anonymous Read-Only Server Configuration</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id326563"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id326573"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id326584"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id326602"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id326613"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id326623"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326634"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Add user to system (with creation of the user's home directory): -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong> -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Create directory, and set permissions and ownership: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chmod u+rwx,g+rx,o+rx /export</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chown jackb.users /export</code></strong> -</pre><p> - </p></li><li class="step" title="Step 3"><p> - Copy the files that should be shared to the <code class="filename">/export</code> - directory. - </p></li><li class="step" title="Step 4"><p> - Install the Samba configuration file (<code class="filename">/etc/samba/smb.conf</code>) - as shown in <a class="link" href="FastStart.html#anon-example" title="Example 2.1. Anonymous Read-Only Server Configuration">Anonymous Read-Only Server Configuration</a>. - </p></li><li class="step" title="Step 5"><p> - Test the configuration file by executing the following command: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>testparm</code></strong> -</pre><p> - Alternatively, where you are operating from a master configuration file called - <code class="filename">smb.conf.master</code>, the following sequence of commands might prove - more appropriate: -</p><pre class="screen"> -<code class="prompt">root# </code> cd /etc/samba -<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf -<code class="prompt">root# </code> testparm -</pre><p> - Note any error messages that might be produced. Proceed only if error-free output has been - obtained. An example of typical output that should be generated from the above configuration - file is shown here: -</p><pre class="screen"> -Load smb config files from /etc/samba/smb.conf -Processing section "[data]" -Loaded services file OK. -Server role: ROLE_STANDALONE -Press enter to see a dump of your service definitions -<strong class="userinput"><code>[Press enter]</code></strong> - -# Global parameters -[global] - workgroup = MIDEARTH - netbios name = HOBBIT - security = share - -[data] - comment = Data - path = /export - read only = Yes - guest only = Yes -</pre><p> - </p></li><li class="step" title="Step 6"><p> - Start Samba using the method applicable to your operating system platform. The method that - should be used is platform dependent. Refer to <a class="link" href="compiling.html#startingSamba" title="Starting the smbd nmbd and winbindd">Starting Samba</a> - for further information regarding the starting of Samba. - </p></li><li class="step" title="Step 7"><p> - Configure your MS Windows client for workgroup <span class="emphasis"><em>MIDEARTH</em></span>, - set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes, - then open Windows Explorer and visit the Network Neighborhood. - The machine HOBBIT should be visible. When you click this machine - icon, it should open up to reveal the <span class="emphasis"><em>data</em></span> share. After - you click the share, it should open up to reveal the files previously - placed in the <code class="filename">/export</code> directory. - </p></li></ol></div><p> - The information above (following # Global parameters) provides the complete - contents of the <code class="filename">/etc/samba/smb.conf</code> file. - </p></div><div class="sect3" title="Anonymous Read-Write Document Server"><div class="titlepage"><div><div><h4 class="title"><a name="id326756"></a>Anonymous Read-Write Document Server</h4></div></div></div><p> - <a class="indexterm" name="id326764"></a> - We should view this configuration as a progression from the previous example. - The difference is that shared access is now forced to the user identity of jackb - and to the primary group jackb belongs to. One other refinement we can make is to - add the user <span class="emphasis"><em>jackb</em></span> to the <code class="filename">smbpasswd</code> file. - To do this, execute: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong> -New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> -Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> -Added user jackb. -</pre><p> - Addition of this user to the <code class="filename">smbpasswd</code> file allows all files - to be displayed in the Explorer Properties boxes as belonging to <span class="emphasis"><em>jackb</em></span> - instead of to <span class="emphasis"><em>User Unknown</em></span>. - </p><p> - The complete, modified <code class="filename">smb.conf</code> file is as shown in <a class="link" href="FastStart.html#anon-rw" title="Example 2.2. Modified Anonymous Read-Write smb.conf">“Modified Anonymous Read-Write smb.conf”</a>. - </p><div class="example"><a name="anon-rw"></a><p class="title"><b>Example 2.2. Modified Anonymous Read-Write smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id326858"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id326869"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id326879"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id326898"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id326908"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id326919"></a><em class="parameter"><code>force user = jackb</code></em></td></tr><tr><td><a class="indexterm" name="id326929"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id326939"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id326950"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" title="Anonymous Print Server"><div class="titlepage"><div><div><h4 class="title"><a name="id326962"></a>Anonymous Print Server</h4></div></div></div><p> - <a class="indexterm" name="id326970"></a> - An anonymous print server serves two purposes: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - It allows printing to all printers from a single location. - </p></li><li class="listitem"><p> - It reduces network traffic congestion due to many users trying - to access a limited number of printers. - </p></li></ul></div><p> - In the simplest of anonymous print servers, it is common to require the installation - of the correct printer drivers on the Windows workstation. In this case the print - server will be designed to just pass print jobs through to the spooler, and the spooler - should be configured to do raw pass-through to the printer. In other words, the print - spooler should not filter or process the data stream being passed to the printer. - </p><p> - In this configuration, it is undesirable to present the Add Printer Wizard, and we do - not want to have automatic driver download, so we disable it in the following - configuration. <a class="link" href="FastStart.html#anon-print" title="Example 2.3. Anonymous Print Server smb.conf">“Anonymous Print Server smb.conf”</a> is the resulting <code class="filename">smb.conf</code> file. - </p><div class="example"><a name="anon-print"></a><p class="title"><b>Example 2.3. Anonymous Print Server smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id327038"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id327048"></a><em class="parameter"><code>netbios name = LUTHIEN</code></em></td></tr><tr><td><a class="indexterm" name="id327059"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td><a class="indexterm" name="id327069"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id327080"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327090"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id327100"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id327119"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id327130"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id327140"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327150"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327161"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327171"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p> - The above configuration is not ideal. It uses no smart features, and it deliberately - presents a less than elegant solution. But it is basic, and it does print. Samba makes - use of the direct printing application program interface that is provided by CUPS. - When Samba has been compiled and linked with the CUPS libraries, the default printing - system will be CUPS. By specifying that the printcap name is CUPS, Samba will use - the CUPS library API to communicate directly with CUPS for all printer functions. - It is possible to force the use of external printing commands by setting the value - of the <em class="parameter"><code>printing</code></em> to either SYSV or BSD, and thus the value of - the parameter <em class="parameter"><code>printcap name</code></em> must be set to something other than - CUPS. In such case, it could be set to the name of any file that contains a list - of printers that should be made available to Windows clients. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Windows users will need to install a local printer and then change the print - to device after installation of the drivers. The print to device can then be set to - the network printer on this machine. - </p></div><p> - Make sure that the directory <code class="filename">/var/spool/samba</code> is capable of being used - as intended. The following steps must be taken to achieve this: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - The directory must be owned by the superuser (root) user and group: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>chown root.root /var/spool/samba</code></strong> -</pre><p> - </p></li><li class="listitem"><p> - Directory permissions should be set for public read-write with the - sticky bit set as shown: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>chmod a+twrx /var/spool/samba</code></strong> -</pre><p> - The purpose of setting the sticky bit is to prevent who does not own the temporary print file - from being able to take control of it with the potential for devious misuse. - </p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id327267"></a> - <a class="indexterm" name="id327275"></a> - On CUPS-enabled systems there is a facility to pass raw data directly to the printer without - intermediate processing via CUPS print filters. Where use of this mode of operation is desired, - it is necessary to configure a raw printing device. It is also necessary to enable the raw mime - handler in the <code class="filename">/etc/mime.conv</code> and <code class="filename">/etc/mime.types</code> - files. Refer to <a class="link" href="CUPS-printing.html#cups-raw" title="Explicitly Enable “raw” Printing for application/octet-stream">“Explicitly Enable raw Printing for application/octet-stream”</a>. - </p></div></div><div class="sect3" title="Secure Read-Write File and Print Server"><div class="titlepage"><div><div><h4 class="title"><a name="id327301"></a>Secure Read-Write File and Print Server</h4></div></div></div><p> - We progress now from simple systems to a server that is slightly more complex. - </p><p> - Our new server will require a public data storage area in which only authenticated - users (i.e., those with a local account) can store files, as well as a home directory. - There will be one printer that should be available for everyone to use. - </p><p> - In this hypothetical environment (no espionage was conducted to obtain this data), - the site is demanding a simple environment that is <span class="emphasis"><em>secure enough</em></span> - but not too difficult to use. - </p><p> - Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have - a password (not shown in further examples). Mary will be the printer administrator and will - own all files in the public share. - </p><p> - This configuration will be based on <span class="emphasis"><em>user-level security</em></span> that - is the default, and for which the default is to store Microsoft Windows-compatible - encrypted passwords in a file called <code class="filename">/etc/samba/smbpasswd</code>. - The default <code class="filename">smb.conf</code> entry that makes this happen is - <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend = smbpasswd, guest</a>. Since this is the default, - it is not necessary to enter it into the configuration file. Note that the guest backend is - added to the list of active passdb backends no matter whether it specified directly in Samba configuration - file or not. - </p><div class="procedure" title="Procedure 2.2. Installing the Secure Office Server"><a name="id327357"></a><p class="title"><b>Procedure 2.2. Installing the Secure Office Server</b></p><div class="example"><a name="OfficeServer"></a><p class="title"><b>Example 2.4. Secure Office Server smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id327448"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id327459"></a><em class="parameter"><code>netbios name = OLORIN</code></em></td></tr><tr><td><a class="indexterm" name="id327469"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id327479"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327490"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id327500"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id327519"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id327529"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id327540"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id327550"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id327569"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id327579"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id327590"></a><em class="parameter"><code>force user = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id327600"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id327611"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id327629"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id327640"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id327650"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id327661"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id327671"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327681"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327692"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id327702"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id327367"></a> - Add all users to the operating system: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Mary Orville" -m -g users -p secret maryo</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Amed Sehkah" -m -g users -p secret ameds</code></strong> -</pre><p> - </p></li><li class="step" title="Step 2"><p> - Configure the Samba <code class="filename">smb.conf</code> file as shown in <a class="link" href="FastStart.html#OfficeServer" title="Example 2.4. Secure Office Server smb.conf">“Secure Office Server smb.conf”</a>. - </p></li><li class="step" title="Step 3"><p> - Initialize the Microsoft Windows password database with the new users: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a root</code></strong> -New SMB password: <strong class="userinput"><code>bigsecret</code></strong> -Reenter smb password: <strong class="userinput"><code>bigsecret</code></strong> -Added user root. - -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong> -New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> -Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong> -Added user jackb. - -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a maryo</code></strong> -New SMB password: <strong class="userinput"><code>secret</code></strong> -Reenter smb password: <strong class="userinput"><code>secret</code></strong> -Added user maryo. - -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a ameds</code></strong> -New SMB password: <strong class="userinput"><code>mysecret</code></strong> -Reenter smb password: <strong class="userinput"><code>mysecret</code></strong> -Added user ameds. -</pre><p> - </p></li><li class="step" title="Step 4"><p> - Install printer using the CUPS Web interface. Make certain that all - printers that will be shared with Microsoft Windows clients are installed - as raw printing devices. - </p></li><li class="step" title="Step 5"><p> - Start Samba using the operating system administrative interface. - Alternately, this can be done manually by executing: - <a class="indexterm" name="id327818"></a> - <a class="indexterm" name="id327825"></a> - <a class="indexterm" name="id327831"></a> - <a class="indexterm" name="id327839"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code> nmbd; smbd;</code></strong> -</pre><p> - Both applications automatically execute as daemons. Those who are paranoid about - maintaining control can add the <code class="constant">-D</code> flag to coerce them to start - up in daemon mode. - </p></li><li class="step" title="Step 6"><p> - Configure the <code class="filename">/export</code> directory: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.users /export</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chmod u=rwx,g=rwx,o-rwx /export</code></strong> -</pre><p> - </p></li><li class="step" title="Step 7"><p> - Check that Samba is running correctly: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbclient -L localhost -U%</code></strong> -Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.20] - -Sharename Type Comment ---------- ---- ------- -public Disk Data -IPC$ IPC IPC Service (Samba-3.0.20) -ADMIN$ IPC IPC Service (Samba-3.0.20) -hplj4 Printer hplj4 - -Server Comment ---------- ------- -OLORIN Samba-3.0.20 - -Workgroup Master ---------- ------- -MIDEARTH OLORIN -</pre><p> - The following error message indicates that Samba was not running: -</p><pre class="screen"> -<code class="prompt">root# </code> smbclient -L olorin -U% -Error connecting to 192.168.1.40 (Connection refused) -Connection to olorin failed -</pre><p> - </p></li><li class="step" title="Step 8"><p> - Connect to OLORIN as maryo: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbclient //olorin/maryo -Umaryo%secret</code></strong> -OS=[UNIX] Server=[Samba-3.0.20] -smb: \> <strong class="userinput"><code>dir</code></strong> -. D 0 Sat Jun 21 10:58:16 2003 -.. D 0 Sat Jun 21 10:54:32 2003 -Documents D 0 Fri Apr 25 13:23:58 2003 -DOCWORK D 0 Sat Jun 14 15:40:34 2003 -OpenOffice.org D 0 Fri Apr 25 13:55:16 2003 -.bashrc H 1286 Fri Apr 25 13:23:58 2003 -.netscape6 DH 0 Fri Apr 25 13:55:13 2003 -.mozilla DH 0 Wed Mar 5 11:50:50 2003 -.kermrc H 164 Fri Apr 25 13:23:58 2003 -.acrobat DH 0 Fri Apr 25 15:41:02 2003 - - 55817 blocks of size 524288. 34725 blocks available -smb: \> <strong class="userinput"><code>q</code></strong> -</pre><p> - </p></li></ol></div><p> - By now you should be getting the hang of configuration basics. Clearly, it is time to - explore slightly more complex examples. For the remainder of this chapter we abbreviate - instructions, since there are previous examples. - </p></div></div><div class="sect2" title="Domain Member Server"><div class="titlepage"><div><div><h3 class="title"><a name="id328002"></a>Domain Member Server</h3></div></div></div><p> - <a class="indexterm" name="id328010"></a> - In this instance we consider the simplest server configuration we can get away with - to make an accounting department happy. Let's be warned, the users are accountants and they - do have some nasty demands. There is a budget for only one server for this department. - </p><p> - The network is managed by an internal Information Services Group (ISG), to which we belong. - Internal politics are typical of a medium-sized organization; Human Resources is of the - opinion that they run the ISG because they are always adding and disabling users. Also, - departmental managers have to fight tooth and nail to gain basic network resources access for - their staff. Accounting is different, though, they get exactly what they want. So this should - set the scene. - </p><p> - We use the users from the last example. The accounting department - has a general printer that all departmental users may use. There is also a check printer - that may be used only by the person who has authority to print checks. The chief financial - officer (CFO) wants that printer to be completely restricted and for it to be located in the - private storage area in her office. It therefore must be a network printer. - </p><p> - The accounting department uses an accounting application called <span class="emphasis"><em>SpytFull</em></span> - that must be run from a central application server. The software is licensed to run only off - one server, there are no workstation components, and it is run off a mapped share. The data - store is in a UNIX-based SQL backend. The UNIX gurus look after that, so this is not our - problem. - </p><p> - The accounting department manager (maryo) wants a general filing system as well as a separate - file storage area for form letters (nastygrams). The form letter area should be read-only to - all accounting staff except the manager. The general filing system has to have a structured - layout with a general area for all staff to store general documents as well as a separate - file area for each member of her team that is private to that person, but she wants full - access to all areas. Users must have a private home share for personal work-related files - and for materials not related to departmental operations. - </p><div class="sect3" title="Example Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id328056"></a>Example Configuration</h4></div></div></div><p> - The server <span class="emphasis"><em>valinor</em></span> will be a member server of the company domain. - Accounting will have only a local server. User accounts will be on the domain controllers, - as will desktop profiles and all network policy files. - </p><div class="procedure"><div class="example"><a name="fast-member-server"></a><p class="title"><b>Example 2.5. Member Server smb.conf (Globals)</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id328125"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id328136"></a><em class="parameter"><code>netbios name = VALINOR</code></em></td></tr><tr><td><a class="indexterm" name="id328146"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id328156"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id328167"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328177"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id328188"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id328198"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id328208"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328219"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="fast-memberserver-shares"></a><p class="title"><b>Example 2.6. Member Server smb.conf (Shares and Services)</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id328251"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id328262"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id328272"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id328282"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[spytfull]</code></em></td></tr><tr><td><a class="indexterm" name="id328301"></a><em class="parameter"><code>comment = Accounting Application Only</code></em></td></tr><tr><td><a class="indexterm" name="id328312"></a><em class="parameter"><code>path = /export/spytfull</code></em></td></tr><tr><td><a class="indexterm" name="id328322"></a><em class="parameter"><code>valid users = @Accounts</code></em></td></tr><tr><td><a class="indexterm" name="id328332"></a><em class="parameter"><code>admin users = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id328343"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id328362"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id328372"></a><em class="parameter"><code>path = /export/public</code></em></td></tr><tr><td><a class="indexterm" name="id328382"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id328401"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id328412"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id328422"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id328432"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id328443"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328453"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328464"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id328474"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Do not add users to the UNIX/Linux server; all of this will run off the - central domain. - </p></li><li class="step" title="Step 2"><p> - Configure <code class="filename">smb.conf</code> according to <a class="link" href="FastStart.html#fast-member-server" title="Example 2.5. Member Server smb.conf (Globals)">Member server smb.conf - (globals)</a> and <a class="link" href="FastStart.html#fast-memberserver-shares" title="Example 2.6. Member Server smb.conf (Shares and Services)">Member server smb.conf (shares - and services)</a>. - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id328491"></a> - Join the domain. Note: Do not start Samba until this step has been completed! -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -Uroot%'bigsecret'</code></strong> -Joined domain MIDEARTH. -</pre><p> - </p></li><li class="step" title="Step 4"><p> - Make absolutely certain that you disable (shut down) the <code class="literal">nscd</code> - daemon on any system on which <code class="literal">winbind</code> is configured to run. - </p></li><li class="step" title="Step 5"><p> - Start Samba following the normal method for your operating system platform. - If you wish to do this manually, execute as root: - <a class="indexterm" name="id328539"></a> - <a class="indexterm" name="id328546"></a> - <a class="indexterm" name="id328552"></a> - <a class="indexterm" name="id328558"></a> - <a class="indexterm" name="id328566"></a> - <a class="indexterm" name="id328575"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>nmbd; smbd; winbindd;</code></strong> -</pre><p> - </p></li><li class="step" title="Step 6"><p> - Configure the name service switch (NSS) control file on your system to resolve user and group names - via winbind. Edit the following lines in <code class="filename">/etc/nsswitch.conf</code>: -</p><pre class="programlisting"> -passwd: files winbind -group: files winbind -hosts: files dns winbind -</pre><p> - </p></li><li class="step" title="Step 7"><p> - Set the password for <code class="literal">wbinfo</code> to use: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>wbinfo --set-auth-user=root%'bigsecret'</code></strong> -</pre><p> - </p></li><li class="step" title="Step 8"><p> - Validate that domain user and group credentials can be correctly resolved by executing: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong> -MIDEARTH\maryo -MIDEARTH\jackb -MIDEARTH\ameds -... -MIDEARTH\root - -<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong> -MIDEARTH\Domain Users -MIDEARTH\Domain Admins -MIDEARTH\Domain Guests -... -MIDEARTH\Accounts -</pre><p> - </p></li><li class="step" title="Step 9"><p> - Check that <code class="literal">winbind</code> is working. The following demonstrates correct - username resolution via the <code class="literal">getent</code> system utility: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>getent passwd maryo</code></strong> -maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false -</pre><p> - </p></li><li class="step" title="Step 10"><p> - A final test that we have this under control might be reassuring: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>touch /export/a_file</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chown maryo /export/a_file</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>ls -al /export/a_file</code></strong> -... --rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file -... - -<code class="prompt">root# </code><strong class="userinput"><code>rm /export/a_file</code></strong> -</pre><p> - </p></li><li class="step" title="Step 11"><p> - Configuration is now mostly complete, so this is an opportune time - to configure the directory structure for this site: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /export/{spytfull,public}</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chmod ug=rwxS,o=x /export/{spytfull,public}</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.Accounts /export/{spytfull,public}</code></strong> -</pre><p> - </p></li></ol></div></div></div><div class="sect2" title="Domain Controller"><div class="titlepage"><div><div><h3 class="title"><a name="id328803"></a>Domain Controller</h3></div></div></div><p> - <a class="indexterm" name="id328810"></a> - For the remainder of this chapter the focus is on the configuration of domain control. - The examples that follow are for two implementation strategies. Remember, our objective is - to create a simple but working solution. The remainder of this book should help to highlight - opportunity for greater functionality and the complexity that goes with it. - </p><p> - A domain controller configuration can be achieved with a simple configuration using the new - tdbsam password backend. This type of configuration is good for small - offices, but has limited scalability (cannot be replicated), and performance can be expected - to fall as the size and complexity of the domain increases. - </p><p> - The use of tdbsam is best limited to sites that do not need - more than a Primary Domain Controller (PDC). As the size of a domain grows the need - for additional domain controllers becomes apparent. Do not attempt to under-resource - a Microsoft Windows network environment; domain controllers provide essential - authentication services. The following are symptoms of an under-resourced domain control - environment: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Domain logons intermittently fail. - </p></li><li class="listitem"><p> - File access on a domain member server intermittently fails, giving a permission denied - error message. - </p></li></ul></div><p> - A more scalable domain control authentication backend option might use - Microsoft Active Directory or an LDAP-based backend. Samba-3 provides - for both options as a domain member server. As a PDC, Samba-3 is not able to provide - an exact alternative to the functionality that is available with Active Directory. - Samba-3 can provide a scalable LDAP-based PDC/BDC solution. - </p><p> - The tdbsam authentication backend provides no facility to replicate - the contents of the database, except by external means (i.e., there is no self-contained protocol - in Samba-3 for Security Account Manager database [SAM] replication). - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - If you need more than one domain controller, do not use a tdbsam authentication backend. - </p></div><div class="sect3" title="Example: Engineering Office"><div class="titlepage"><div><div><h4 class="title"><a name="id328866"></a>Example: Engineering Office</h4></div></div></div><p> - The engineering office network server we present here is designed to demonstrate use - of the new tdbsam password backend. The tdbsam - facility is new to Samba-3. It is designed to provide many user and machine account controls - that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks. - </p><div class="procedure"><div class="example"><a name="fast-engoffice-global"></a><p class="title"><b>Example 2.7. Engineering Office smb.conf (globals)</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id328927"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id328937"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id328947"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id328958"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id328968"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m %u</code></em></td></tr><tr><td><a class="indexterm" name="id328979"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r %u</code></em></td></tr><tr><td><a class="indexterm" name="id328989"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd %g</code></em></td></tr><tr><td><a class="indexterm" name="id328999"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel %g</code></em></td></tr><tr><td><a class="indexterm" name="id329010"></a><em class="parameter"><code>add user to group script = /usr/sbin/groupmod -A %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id329020"></a><em class="parameter"><code>delete user from group script = /usr/sbin/groupmod -R %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id329031"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u</code></em></td></tr><tr><td># Note: The following specifies the default logon script.</td></tr><tr><td># Per user logon scripts can be specified in the user account using pdbedit </td></tr><tr><td><a class="indexterm" name="id329050"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td># This sets the default profile path. Set per user paths with pdbedit</td></tr><tr><td><a class="indexterm" name="id329065"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id329075"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id329085"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id329096"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329106"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id329117"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329127"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329137"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id329148"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id329158"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="fast-engoffice-shares"></a><p class="title"><b>Example 2.8. Engineering Office smb.conf (shares and services)</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id329191"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id329201"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id329211"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id329222"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># Printing auto-share (makes printers available thru CUPS)</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id329244"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id329255"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id329265"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id329276"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id329286"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329296"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329307"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id329326"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id329336"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id329346"></a><em class="parameter"><code>write list = maryo, root</code></em></td></tr><tr><td><a class="indexterm" name="id329357"></a><em class="parameter"><code>printer admin = maryo, root</code></em></td></tr><tr><td># Needed to support domain logons</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id329379"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id329389"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id329400"></a><em class="parameter"><code>admin users = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id329410"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id329420"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># For profiles to work, create a user directory under the path</td></tr><tr><td># shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[Profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id329446"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id329457"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id329467"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id329478"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td># Other resource (share/printer) definitions would follow below.</td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - A working PDC configuration using the tdbsam - password backend can be found in <a class="link" href="FastStart.html#fast-engoffice-global" title="Example 2.7. Engineering Office smb.conf (globals)">Engineering Office smb.conf - (globals)</a> together with <a class="link" href="FastStart.html#fast-engoffice-shares" title="Example 2.8. Engineering Office smb.conf (shares and services)">Engineering Office smb.conf - (shares and services)</a>: - <a class="indexterm" name="id328898"></a> - </p></li><li class="step" title="Step 2"><p> - Create UNIX group accounts as needed using a suitable operating system tool: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>groupadd ntadmins</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>groupadd designers</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>groupadd engineers</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>groupadd qateam</code></strong> -</pre><p> - </p></li><li class="step" title="Step 3"><p> - Create user accounts on the system using the appropriate tool - provided with the operating system. Make sure all user home directories - are created also. Add users to groups as required for access control - on files, directories, printers, and as required for use in the Samba - environment. - </p></li><li class="step" title="Step 4"><p> - <a class="indexterm" name="id329557"></a> - <a class="indexterm" name="id329565"></a> - Assign each of the UNIX groups to NT groups by executing this shell script - (You could name the script <code class="filename">initGroups.sh</code>): -</p><pre class="screen"> -#!/bin/bash -#### Keep this as a shell script for future re-use - -# First assign well known groups -net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d -net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type= -net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d - -# Now for our added Domain Groups -net groupmap add ntgroup="Designers" unixgroup=designers type=d -net groupmap add ntgroup="Engineers" unixgroup=engineers type=d -net groupmap add ntgroup="QA Team" unixgroup=qateam type=d -</pre><p> - </p></li><li class="step" title="Step 5"><p> - Create the <code class="filename">scripts</code> directory for use in the - <em class="parameter"><code>[NETLOGON]</code></em> share: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /var/lib/samba/netlogon/scripts</code></strong> -</pre><p> - Place the logon scripts that will be used (batch or cmd scripts) - in this directory. - </p></li></ol></div><p> - The above configuration provides a functional PDC - system to which must be added file shares and printers as required. - </p></div><div class="sect3" title="A Big Organization"><div class="titlepage"><div><div><h4 class="title"><a name="id329627"></a>A Big Organization</h4></div></div></div><p> - In this section we finally get to review in brief a Samba-3 configuration that - uses a Lightweight Directory Access (LDAP)-based authentication backend. The - main reasons for this choice are to provide the ability to host primary - and Backup Domain Control (BDC), as well as to enable a higher degree of - scalability to meet the needs of a very distributed environment. - </p><div class="sect4" title="The Primary Domain Controller"><div class="titlepage"><div><div><h5 class="title"><a name="id329639"></a>The Primary Domain Controller</h5></div></div></div><p> - This is an example of a minimal configuration to run a Samba-3 PDC - using an LDAP authentication backend. It is assumed that the operating system - has been correctly configured. - </p><p> - The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or - SambaSamAccounts. The Idealx scripts may be downloaded from the <a class="ulink" href="http://www.idealx.org" target="_top"> - Idealx</a> Web site. They may also be obtained from the Samba tarball. Linux - distributions tend to install the Idealx scripts in the - <code class="filename">/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</code> directory. - Idealx scripts version <code class="constant">smbldap-tools-0.9.1</code> are known to work well. - </p><div class="procedure"><div class="example"><a name="fast-ldap"></a><p class="title"><b>Example 2.9. LDAP backend smb.conf for PDC</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id329835"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id329845"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id329856"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id329866"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id329877"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id329887"></a><em class="parameter"><code>add user script = /usr/local/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id329898"></a><em class="parameter"><code>delete user script = /usr/local/sbin/smbldap-userdel %u</code></em></td></tr><tr><td><a class="indexterm" name="id329908"></a><em class="parameter"><code>add group script = /usr/local/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id329920"></a><em class="parameter"><code>delete group script = /usr/local/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id329931"></a><em class="parameter"><code>add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id329942"></a><em class="parameter"><code>delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id329953"></a><em class="parameter"><code>set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id329964"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id329975"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id329986"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id329996"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id330006"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id330017"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330027"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id330038"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330048"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330058"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id330069"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330079"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330090"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330100"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330110"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id330121"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id330131"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330142"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id330152"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id330162"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Obtain from the Samba sources <code class="filename">~/examples/LDAP/samba.schema</code> - and copy it to the <code class="filename">/etc/openldap/schema/</code> directory. - </p></li><li class="step" title="Step 2"><p> - Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x. - The <code class="filename">/etc/openldap/slapd.conf</code> file. - <a class="indexterm" name="id329699"></a> -<span style="color: red"><title>Example slapd.conf File</title></span> -</p><pre class="screen"> -# Note commented out lines have been removed -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema -include /etc/openldap/schema/samba.schema - -pidfile /var/run/slapd/slapd.pid -argsfile /var/run/slapd/slapd.args - -database bdb -suffix "dc=quenya,dc=org" -rootdn "cn=Manager,dc=quenya,dc=org" -rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P -# The password for the above is 'nastyon3' - -directory /var/lib/ldap - -index objectClass eq -index cn pres,sub,eq -index sn pres,sub,eq -index uid pres,sub,eq -index displayName pres,sub,eq -index uidNumber eq -index gidNumber eq -index memberUid eq -index sambaSID eq -index sambaPrimaryGroupSID eq -index sambaDomainName eq -index default sub -</pre><p> - </p></li><li class="step" title="Step 3"><p> - Create the following file <code class="filename">initdb.ldif</code>: - <a class="indexterm" name="id329734"></a> -</p><pre class="programlisting"> -# Organization for SambaXP Demo -dn: dc=quenya,dc=org -objectclass: dcObject -objectclass: organization -dc: quenya -o: SambaXP Demo -description: The SambaXP Demo LDAP Tree - -# Organizational Role for Directory Management -dn: cn=Manager,dc=quenya,dc=org -objectclass: organizationalRole -cn: Manager -description: Directory Manager - -# Setting up the container for users -dn: ou=People, dc=quenya, dc=org -objectclass: top -objectclass: organizationalUnit -ou: People - -# Set up an admin handle for People OU -dn: cn=admin, ou=People, dc=quenya, dc=org -cn: admin -objectclass: top -objectclass: organizationalRole -objectclass: simpleSecurityObject -userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb -# The password for above is 'mordonL8' -</pre><p> - </p></li><li class="step" title="Step 4"><p> - Load the initial data above into the LDAP database: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>slapadd -v -l initdb.ldif</code></strong> -</pre><p> - </p></li><li class="step" title="Step 5"><p> - Start the LDAP server using the appropriate tool or method for - the operating system platform on which it is installed. - </p></li><li class="step" title="Step 6"><p> - Install the Idealx script files in the <code class="filename">/usr/local/sbin</code> directory, - then configure the smbldap_conf.pm file to match your system configuration. - </p></li><li class="step" title="Step 7"><p> - The <code class="filename">smb.conf</code> file that drives this backend can be found in example <a class="link" href="FastStart.html#fast-ldap" title="Example 2.9. LDAP backend smb.conf for PDC">LDAP backend smb.conf for PDC</a>. Add additional stanzas - as required. - </p></li><li class="step" title="Step 8"><p> - Add the LDAP password to the <code class="filename">secrets.tdb</code> file so Samba can update - the LDAP database: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -w mordonL8</code></strong> -</pre><p> - </p></li><li class="step" title="Step 9"><p> - Add users and groups as required. Users and groups added using Samba tools - will automatically be added to both the LDAP backend and the operating - system as required. - </p></li></ol></div></div><div class="sect4" title="Backup Domain Controller"><div class="titlepage"><div><div><h5 class="title"><a name="id330210"></a>Backup Domain Controller</h5></div></div></div><p> - <a class="link" href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">“Remote LDAP BDC smb.conf”</a> shows the example configuration for the BDC. Note that - the <code class="filename">smb.conf</code> file does not specify the smbldap-tools scripts they are - not needed on a BDC. Add additional stanzas for shares and printers as required. - </p><div class="procedure"><div class="example"><a name="fast-bdc"></a><p class="title"><b>Example 2.10. Remote LDAP BDC smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id330276"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id330286"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id330296"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://frodo.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id330307"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id330317"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id330328"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id330338"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id330348"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id330359"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id330369"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330380"></a><em class="parameter"><code>os level = 33</code></em></td></tr><tr><td><a class="indexterm" name="id330390"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330400"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id330411"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id330421"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330432"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330442"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330452"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id330463"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id330473"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id330484"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id330494"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id330504"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id330515"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Decide if the BDC should have its own LDAP server or not. If the BDC is to be - the LDAP server, change the following <code class="filename">smb.conf</code> as indicated. The default - configuration in <a class="link" href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">Remote LDAP BDC smb.conf</a> - uses a central LDAP server. - </p></li><li class="step" title="Step 2"><p> - Configure the NETLOGON and PROFILES directory as for the PDC in <a class="link" href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">“Remote LDAP BDC smb.conf”</a>. - </p></li></ol></div></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html b/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html deleted file mode 100644 index 84fc97fb92..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html +++ /dev/null @@ -1,398 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 19. Interdomain Trust Relationships"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id386823">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id387144">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388180">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id388191">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id388228">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id386616"></a> -<a class="indexterm" name="id386623"></a> -<a class="indexterm" name="id386630"></a> -<a class="indexterm" name="id386636"></a> -<a class="indexterm" name="id386643"></a> -<a class="indexterm" name="id386650"></a> -<a class="indexterm" name="id386656"></a> -<a class="indexterm" name="id386663"></a> -<a class="indexterm" name="id386670"></a> -Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites -will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to -adopt Active Directory or an LDAP-based authentication backend. This chapter explains -some background information regarding trust relationships and how to create them. It is now -possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba -trusts. -</p><p> -<a class="indexterm" name="id386684"></a> -<a class="indexterm" name="id386690"></a> -<a class="indexterm" name="id386697"></a> -<a class="indexterm" name="id386704"></a> -<a class="indexterm" name="id386711"></a> -The use of interdomain trusts requires use of <code class="literal">winbind</code>, so the -<code class="literal">winbindd</code> daemon must be running. Winbind operation in this mode is -dependent on the specification of a valid UID range and a valid GID range in the <code class="filename">smb.conf</code> file. -These are specified respectively using: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id386743"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id386754"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p> -<a class="indexterm" name="id386766"></a> -<a class="indexterm" name="id386773"></a> -<a class="indexterm" name="id386779"></a> -<a class="indexterm" name="id386786"></a> -The range of values specified must not overlap values used by the host operating system and must -not overlap values used in the passdb backend for POSIX user accounts. The maximum value is -limited by the upper-most value permitted by the host operating system. This is a UNIX kernel -limited parameter. Linux kernel 2.6-based systems support a maximum value of 4294967295 -(32-bit unsigned variable). -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id386801"></a> -<a class="indexterm" name="id386808"></a> -<a class="indexterm" name="id386814"></a> -The use of winbind is necessary only when Samba is the trusting domain, not when it is the -trusted domain. -</p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386823"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id386831"></a> -<a class="indexterm" name="id386838"></a> -Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style -trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4. -</p><p> -<a class="indexterm" name="id386849"></a> -<a class="indexterm" name="id386856"></a> -<a class="indexterm" name="id386863"></a> -<a class="indexterm" name="id386870"></a> -<a class="indexterm" name="id386877"></a> -Given that Samba-3 can function with a scalable backend authentication database such as LDAP, and given its -ability to run in primary as well as backup domain control modes, the administrator would be well-advised to -consider alternatives to the use of interdomain trusts simply because, by the very nature of how trusts -function, this system is fragile. That was, after all, a key reason for the development and adoption of -Microsoft Active Directory. -</p></div><div class="sect1" title="Trust Relationship Background"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386889"></a>Trust Relationship Background</h2></div></div></div><p> -<a class="indexterm" name="id386897"></a> -<a class="indexterm" name="id386904"></a> -<a class="indexterm" name="id386911"></a> -<a class="indexterm" name="id386917"></a> -<a class="indexterm" name="id386924"></a> -<a class="indexterm" name="id386931"></a> -MS Windows NT3/4-type security domains employ a nonhierarchical security structure. -The limitations of this architecture as it effects the scalability of MS Windows networking -in large organizations is well known. Additionally, the flat namespace that results from -this design significantly impacts the delegation of administrative responsibilities in -large and diverse organizations. -</p><p> -<a class="indexterm" name="id386944"></a> -<a class="indexterm" name="id386951"></a> -<a class="indexterm" name="id386958"></a> -<a class="indexterm" name="id386965"></a> -<a class="indexterm" name="id386971"></a> -Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means -of circumventing the limitations of the older technologies. Not every organization is ready -or willing to embrace ADS. For small companies the older NT4-style domain security paradigm -is quite adequate, and so there remains an entrenched user base for whom there is no direct -desire to go through a disruptive change to adopt ADS. -</p><p> -<a class="indexterm" name="id386985"></a> -<a class="indexterm" name="id386992"></a> -<a class="indexterm" name="id386999"></a> -<a class="indexterm" name="id387005"></a> -<a class="indexterm" name="id387012"></a> -<a class="indexterm" name="id387019"></a> -<a class="indexterm" name="id387026"></a> -With Windows NT, Microsoft introduced the ability to allow different security domains -to effect a mechanism so users from one domain may be given access rights and privileges -in another domain. The language that describes this capability is couched in terms of -<span class="emphasis"><em>trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users -from another domain. The domain from which users can access another security domain is -said to be a trusted domain. The domain in which those users have assigned rights and privileges -is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, -so if users in both domains are to have privileges and rights in each others' domain, then it is -necessary to establish two relationships, one in each direction. -</p><p> -<a class="indexterm" name="id387049"></a> -<a class="indexterm" name="id387056"></a> -<a class="indexterm" name="id387063"></a> -<a class="indexterm" name="id387070"></a> -<a class="indexterm" name="id387076"></a> -Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three -domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and -blue have a trust relationship, then it holds that there is no implied trust between the red and blue domains. -Relationships are explicit and not transitive. -</p><p> -<a class="indexterm" name="id387090"></a> -<a class="indexterm" name="id387096"></a> -<a class="indexterm" name="id387103"></a> -<a class="indexterm" name="id387110"></a> -<a class="indexterm" name="id387117"></a> -<a class="indexterm" name="id387124"></a> -<a class="indexterm" name="id387130"></a> -New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default. -Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with -Windows 2000 and ADS, the red and blue domains can trust each other. This is an inherent feature of ADS -domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS -security domains in similar manner to MS Windows NT4-style domains. -</p></div><div class="sect1" title="Native MS Windows NT4 Trusts Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387144"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p> -<a class="indexterm" name="id387152"></a> -<a class="indexterm" name="id387161"></a> -<a class="indexterm" name="id387168"></a> -There are two steps to creating an interdomain trust relationship. To effect a two-way trust -relationship, it is necessary for each domain administrator to create a trust account for the -other domain to use in verifying security credentials. -</p><div class="sect2" title="Creating an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id387178"></a>Creating an NT4 Domain Trust</h3></div></div></div><p> -<a class="indexterm" name="id387185"></a> -<a class="indexterm" name="id387192"></a> -<a class="indexterm" name="id387199"></a> -<a class="indexterm" name="id387206"></a> -<a class="indexterm" name="id387213"></a> -For MS Windows NT4, all domain trust relationships are configured using the -<span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies -entry on the menu bar. From the <span class="guimenu">Policy</span> menu, select -<span class="guimenuitem">Trust Relationships</span>. Next to the lower box labeled -<span class="guilabel">Permitted to Trust this Domain</span> are two buttons, <span class="guibutton">Add</span> -and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span> button will open a panel in which -to enter the name of the remote domain that will be able to assign access rights to users in -your domain. You will also need to enter a password for this trust relationship, which the -trusting domain will use when authenticating users from the trusted domain. -The password needs to be typed twice (for standard confirmation). -</p></div><div class="sect2" title="Completing an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id387268"></a>Completing an NT4 Domain Trust</h3></div></div></div><p> -<a class="indexterm" name="id387276"></a> -<a class="indexterm" name="id387282"></a> -<a class="indexterm" name="id387289"></a> -<a class="indexterm" name="id387296"></a> -<a class="indexterm" name="id387303"></a> -<a class="indexterm" name="id387310"></a> -A trust relationship will work only when the other (trusting) domain makes the appropriate connections -with the trusted domain. To consummate the trust relationship, the administrator launches the -Domain User Manager from the menu selects <span class="guilabel">Policies</span>, then select -<span class="guilabel">Trust Relationships</span>, and clicks on the <span class="guibutton">Add</span> button -next to the box that is labeled <span class="guilabel">Trusted Domains</span>. A panel opens in which -must be entered the name of the remote domain as well as the password assigned to that trust. -</p></div><div class="sect2" title="Interdomain Trust Facilities"><div class="titlepage"><div><div><h3 class="title"><a name="id387348"></a>Interdomain Trust Facilities</h3></div></div></div><p> -<a class="indexterm" name="id387356"></a> -<a class="indexterm" name="id387363"></a> -<a class="indexterm" name="id387369"></a> -<a class="indexterm" name="id387376"></a> -<a class="indexterm" name="id387383"></a> -<a class="indexterm" name="id387390"></a> -A two-way trust relationship is created when two one-way trusts are created, one in each direction. -Where a one-way trust has been established between two MS Windows NT4 domains (let's call them -DomA and DomB), the following facilities are created: -</p><div class="figure"><a name="trusts1"></a><p class="title"><b>Figure 19.1. Trusts overview.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/trusts1.png" alt="Trusts overview."></div></div></div><br class="figure-break"><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - DomA (completes the trust connection) <em class="parameter"><code>Trusts</code></em> DomB. - </p></li><li class="listitem"><p> - DomA is the <em class="parameter"><code>Trusting</code></em> domain. - </p></li><li class="listitem"><p> - DomB is the <em class="parameter"><code>Trusted</code></em> domain (originates the trust account). - </p></li><li class="listitem"><p> - Users in DomB can access resources in DomA. - </p></li><li class="listitem"><p> - Users in DomA cannot access resources in DomB. - </p></li><li class="listitem"><p> - Global groups from DomB can be used in DomA. - </p></li><li class="listitem"><p> - Global groups from DomA cannot be used in DomB. - </p></li><li class="listitem"><p> - DomB does appear in the logon dialog box on client workstations in DomA. - </p></li><li class="listitem"><p> - DomA does not appear in the logon dialog box on client workstations in DomB. - </p></li></ul></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Users and groups in a trusting domain cannot be granted rights, permissions, or access - to a trusted domain. - </p></li><li class="listitem"><p> - The trusting domain can access and use accounts (users/global groups) in the - trusted domain. - </p></li><li class="listitem"><p> - Administrators of the trusted domain can be granted administrative rights in the - trusting domain. - </p></li><li class="listitem"><p> - Users in a trusted domain can be given rights and privileges in the trusting - domain. - </p></li><li class="listitem"><p> - Trusted domain global groups can be given rights and permissions in the trusting - domain. - </p></li><li class="listitem"><p> - Global groups from the trusted domain can be made members in local groups on - MS Windows domain member machines. - </p></li></ul></div></div></div><div class="sect1" title="Configuring Samba NT-Style Domain Trusts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387544"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p> -<a class="indexterm" name="id387552"></a> -This description is meant to be a fairly short introduction about how to set up a Samba server so -that it can participate in interdomain trust relationships. Trust relationship support in Samba -is at an early stage, so do not be surprised if something does not function as it should. -</p><p> -<a class="indexterm" name="id387565"></a> -<a class="indexterm" name="id387572"></a> -<a class="indexterm" name="id387579"></a> -<a class="indexterm" name="id387585"></a> -Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a -Windows NT4 server. However, the remote end could just as well be another Samba-3 domain. It can be clearly -seen, after reading this document, that combining Samba-specific parts of what's written in the following -sections leads to trust between domains in a purely Samba environment. -</p><div class="sect2" title="Samba as the Trusted Domain"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div></div><p> -<a class="indexterm" name="id387608"></a> -<a class="indexterm" name="id387615"></a> -<a class="indexterm" name="id387622"></a> -<a class="indexterm" name="id387628"></a> -<a class="indexterm" name="id387635"></a> -In order to set the Samba PDC to be the trusted party of the relationship, you first need -to create a special account for the domain that will be the trusting party. To do that, -you can use the <code class="literal">smbpasswd</code> utility. Creating the trusted domain account is -similar to creating a trusted machine account. Suppose, your domain is -called SAMBA, and the remote domain is called RUMBA. The first step -will be to issue this command from your favorite shell: -</p><p> -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>smbpasswd -a -i rumba</code></strong> -New SMB password: <strong class="userinput"><code>XXXXXXXX</code></strong> -Retype SMB password: <strong class="userinput"><code>XXXXXXXX</code></strong> -Added user rumba$ -</pre><p> - -where <code class="option">-a</code> means to add a new account into the -passdb database and <code class="option">-i</code> means to <span class="quote">“<span class="quote">create this -account with the Interdomain trust flag</span>”</span>. -</p><p> -<a class="indexterm" name="id387699"></a> -<a class="indexterm" name="id387706"></a> -<a class="indexterm" name="id387713"></a> -<a class="indexterm" name="id387720"></a> -The account name will be <span class="quote">“<span class="quote">rumba$</span>”</span> (the name of the remote domain). -If this fails, you should check that the trust account has been added to the system -password database (<code class="filename">/etc/passwd</code>). If it has not been added, you -can add it manually and then repeat the previous step. -</p><p> -<a class="indexterm" name="id387741"></a> -<a class="indexterm" name="id387748"></a> -<a class="indexterm" name="id387755"></a> -<a class="indexterm" name="id387762"></a> -After issuing this command, you will be asked to enter the password for the account. You can use any password -you want, but be aware that Windows NT will not change this password until 7 days following account creation. -After the command returns successfully, you can look at the entry for the new account (in the standard way as -appropriate for your configuration) and see that the account's name is really RUMBA$ and it has the -<span class="quote">“<span class="quote">I</span>”</span> flag set in the flags field. Now you are ready to confirm the trust by establishing it from -Windows NT Server. -</p><p> -<a class="indexterm" name="id387780"></a> -<a class="indexterm" name="id387787"></a> -<a class="indexterm" name="id387793"></a> -<a class="indexterm" name="id387800"></a> -<a class="indexterm" name="id387807"></a> -Open <span class="application">User Manager for Domains</span> and from the <span class="guimenu">Policies</span> menu, select -<span class="guimenuitem">Trust Relationships...</span>. Beside the <span class="guilabel">Trusted domains</span> list box, -click the <span class="guimenu">Add...</span> button. You will be prompted for the trusted domain name and the -relationship password. Type in SAMBA, as this is the name of the remote domain and the password used at the -time of account creation. Click on <span class="guibutton">OK</span> and, if everything went without incident, you -will see the <code class="computeroutput">Trusted domain relationship successfully established</code> message. -</p></div><div class="sect2" title="Samba as the Trusting Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id387860"></a>Samba as the Trusting Domain</h3></div></div></div><p> -<a class="indexterm" name="id387868"></a> -<a class="indexterm" name="id387875"></a> -This time activities are somewhat reversed. Again, we'll assume that your domain -controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA. -</p><p> -The very first step is to add an account for the SAMBA domain on RUMBA's PDC. -</p><p> -<a class="indexterm" name="id387890"></a> -<a class="indexterm" name="id387897"></a> -<a class="indexterm" name="id387904"></a> -Launch the <span class="application">Domain User Manager</span>, then from the menu select -<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>. -Now, next to the <span class="guilabel">Trusting Domains</span> box, press the <span class="guibutton">Add</span> -button and type in the name of the trusted domain (SAMBA) and the password to use in securing -the relationship. -</p><p> -<a class="indexterm" name="id387945"></a> -<a class="indexterm" name="id387951"></a> -The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you -want. After you confirm the password, your account is ready for use. Now its Samba's turn. -</p><p> -Using your favorite shell while logged in as root, issue this command: -<a class="indexterm" name="id387964"></a> -</p><p> -<code class="prompt">root# </code><strong class="userinput"><code>net rpc trustdom establish rumba</code></strong> -</p><p> -<a class="indexterm" name="id387992"></a> -<a class="indexterm" name="id387999"></a> -<a class="indexterm" name="id388006"></a> -You will be prompted for the password you just typed on your Windows NT4 Server box. -An error message, <code class="literal">"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</code> -that may be reported periodically is of no concern and may safely be ignored. -It means the password you gave is correct and the NT4 server says the account is ready for -interdomain connection and not for ordinary connection. After that, be patient; -it can take a while (especially in large networks), but eventually you should see -the <code class="literal">Success</code> message. Congratulations! Your trust -relationship has just been established. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -You have to run this command as root because you must have write access to -the <code class="filename">secrets.tdb</code> file. -</p></div></div></div><div class="sect1" title="NT4-Style Domain Trusts with Windows 2000"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388043"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p> -<a class="indexterm" name="id388051"></a> -<a class="indexterm" name="id388058"></a> -<a class="indexterm" name="id388065"></a> -<a class="indexterm" name="id388072"></a> -Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is -also possible to establish an NT4-style trust relationship with a Windows 2000 domain -controller running in mixed mode as the trusting server. It should also be possible for -Samba to trust a Windows 2000 server; however, more testing is still needed in this area. -</p><p> -<a class="indexterm" name="id388090"></a> -<a class="indexterm" name="id388097"></a> -<a class="indexterm" name="id388104"></a> -<a class="indexterm" name="id388111"></a> -After <a class="link" href="InterdomainTrusts.html#samba-trusted-domain" title="Samba as the Trusted Domain">creating the interdomain trust account on the Samba server</a> -as described previously, open <span class="application">Active Directory Domains and Trusts</span> on the AD -controller of the domain whose resources you wish Samba users to have access to. Remember that since NT4-style -trusts are not transitive, if you want your users to have access to multiple mixed-mode domains in your AD -forest, you will need to repeat this process for each of those domains. With <span class="application">Active Directory -domains and trusts</span> open, right-click on the name of the Active Directory domain that will trust -our Samba domain and choose <span class="guimenuitem">Properties</span>, then click on the -<span class="guilabel">Trusts</span> tab. In the upper part of the panel, you will see a list box labeled -<span class="guilabel">Domains trusted by this domain:</span> and an <span class="guilabel">Add...</span> button next to it. -Press this button and, just as with NT4, you will be prompted for the trusted domain name and the relationship -password. Press <span class="emphasis"><em>OK</em></span> and after a moment, Active Directory will respond with -<code class="computeroutput">The trusted domain has been added and the trust has been verified.</code> Your -Samba users can now be granted access to resources in the AD domain. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388180"></a>Common Errors</h2></div></div></div><p> -Interdomain trust relationships should not be attempted on networks that are unstable -or that suffer regular outages. Network stability and integrity are key concerns with -distributed trusted domains. -</p><div class="sect2" title="Browsing of Trusted Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id388191"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p> -<span class="emphasis"><em>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of -a trusting Samba domain, I get the following error:</em></span> -</p><pre class="screen"> -The system detected a possible attempt to compromise security. Please -ensure that you can contact the server that authenticated you. -</pre><p> -</p><p> -<span class="emphasis"><em>The event logs on the box I'm trying to connect to have entries regarding group -policy not being applied because it is a member of a down-level domain.</em></span> -</p><p>If there is a computer account in the Windows -200x domain for the machine in question, and it is disabled, this problem can -occur. If there is no computer account (removed or never existed), or if that -account is still intact (i.e., you just joined it to another domain), everything -seems to be fine. By default, when you unjoin a domain (the Windows 200x -domain), the computer tries to automatically disable the computer account in -the domain. If you are running as an account that has privileges to do this -when you unjoin the machine, it is done; otherwise it is not done. -</p></div><div class="sect2" title="Problems with LDAP ldapsam and Older Versions of smbldap-tools"><div class="titlepage"><div><div><h3 class="title"><a name="id388228"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p> -If you use the <code class="literal">smbldap-useradd</code> script to create a trust -account to set up interdomain trusts, the process of setting up the trust will -fail. The account that was created in the LDAP database will have an account -flags field that has <code class="literal">[W ]</code>, when it must have -<code class="literal">[I ]</code> for interdomain trusts to work. -</p><p>Here is a simple solution. -Create a machine account as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> smbldap-useradd -w domain_name -</pre><p> -Then set the desired trust account password as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> smbldap-passwd domain_name\$ -</pre><p> -Using a text editor, create the following file: -</p><pre class="screen"> -dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain} -changetype: modify -sambaAcctFlags: [I ] -</pre><p> -Then apply the text file to the LDAP database as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> ldapmodify -x -h localhost \ - -D "cn=Manager,dc={your-domain},dc={your-top-level-domain}" \ - -W -f /path-to/foobar -</pre><p> -Create a single-sided trust under the NT4 Domain User Manager, then execute: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom establish domain_name -</pre><p> -</p><p> -It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode. -Both domain controllers, Samba and NT must have the same WINS server; otherwise, -the trust will never work. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 18. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 20. Hosting a Microsoft Distributed File System Tree</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/IntroSMB.html b/docs/htmldocs/Samba3-HOWTO/IntroSMB.html deleted file mode 100644 index 79b904d8cd..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/IntroSMB.html +++ /dev/null @@ -1,134 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Introduction</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="TOSHpreface.html" title="Preface"><link rel="next" href="introduction.html" title="Part I. General Installation"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Introduction</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="TOSHpreface.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr></table><hr></div><div class="preface" title="Introduction"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Introduction</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 29, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="IntroSMB.html#id323832">What Is Samba?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id280609">Why This Book?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id324017">Book Structure and Layout</a></span></dt></dl></div><p><span class="quote">“<span class="quote"> -A man's gift makes room for him before great men. Gifts are like hooks that can catch -hold of the mind taking it beyond the reach of forces that otherwise might constrain it. -</span>”</span> --- Anon. -</p><p> -This is a book about Samba. It is a tool, a derived work of the labors -of many and of the diligence and goodwill of more than a few. -This book contains material that has been contributed in a persistent belief -that each of us can add value to our neighbors as well as to those who will -follow us. -</p><p> -This book is designed to meet the needs of the Microsoft network administrator. -UNIX administrators will benefit from this book also, though they may complain -that it is hard to find the information they think they need. So if you are a -Microsoft certified specialist, this book should meet your needs rather well. -If you are a UNIX or Linux administrator, there is no need to feel badly you -should have no difficulty finding answers to your current concerns also. -</p><div class="sect1" title="What Is Samba?"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323832"></a>What Is Samba?</h2></div></div></div><p> - Samba is a big, complex project. The Samba project is ambitious and exciting. - The team behind Samba is a group of some thirty individuals who are spread - the world over and come from an interesting range of backgrounds. This team - includes scientists, engineers, programmers, business people, and students. - </p><p> - Team members were drawn into active participation through the desire to help - deliver an exciting level of transparent interoperability between Microsoft - Windows and the non-Microsoft information - technology world. - </p><p> - The slogan that unites the efforts behind the Samba project says: - <span class="emphasis"><em>Samba, Opening Windows to a Wider World!</em></span> The goal - behind the project is one of removing barriers to interoperability. - </p><p> - Samba provides file and print services for Microsoft Windows clients. These - services may be hosted off any TCP/IP-enabled platform. The original deployment - platforms were UNIX and Linux, though today it is in common use across - a broad variety of systems. - </p><p> - The Samba project includes not only an impressive feature set in file and print - serving capabilities, but has been extended to include client functionality, - utilities to ease migration to Samba, tools to aid interoperability with - Microsoft Windows, and administration tools. - </p><p> - The real people behind Samba are users like you. You have inspired the - developers (the Samba Team) to do more than any of them imagined could or should - be done. User feedback drives Samba development. Samba-3 in particular incorporates - a huge amount of work done as a result of user requests, suggestions and direct - code contributions. - </p></div><div class="sect1" title="Why This Book?"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id280609"></a>Why This Book?</h2></div></div></div><p> - There is admittedly a large number of Samba books on the market today and - each book has its place. Despite the apparent plethora of books, Samba - as a project continues to receive much criticism for failing to provide - sufficient documentation. Samba is also criticized for being too complex - and too difficult to configure. In many ways this is evidence of the - success of Samba as there would be no complaints if it was not successful. - </p><p> - The Samba Team members work predominantly with UNIX and Linux, so - it is hardly surprising that existing Samba documentation should reflect - that orientation. The original HOWTO text documents were intended to provide - some tips, a few golden nuggets, and if they helped anyone then that was - just wonderful. But the HOWTO documents lacked structure and context. They were - isolated snapshots of information that were written to pass information - on to someone else who might benefit. They reflected a need to transmit - more information that could be conveniently put into manual pages. - </p><p> - The original HOWTO documents were written by different authors. Most HOWTO - documents are the result of feedback and contributions from numerous - authors. In this book we took care to preserve as much original content as - possible. As you read this book you will note that chapters were written by - multiple authors, each of whom has his own style. This demonstrates - the nature of the Open Source software development process. - </p><p> - Out of the original HOWTO documents sprang a collection of unofficial - HOWTO documents that are spread over the Internet. It is sincerely intended - that this work will <span class="emphasis"><em>not</em></span> replace the valuable unofficial - HOWTO work that continues to flourish. If you are involved in unofficial - HOWTO production then please continue your work! - </p><p> - Those of you who have dedicated your labors to the production of unofficial - HOWTOs, to Web page information regarding Samba, or to answering questions - on the mailing lists or elsewhere, may be aware that this is a labor - of love. We would like to know about your contribution and willingly receive - the precious pearls of wisdom you have collected. Please email your contribution to - <a class="ulink" href="mailto:jht@samba.org" target="_top">John H. Terpstra (jht@samba.org)</a>. - As a service to other users we will gladly adopt material that is technically accurate. - </p><p> - Existing Samba books are largely addressed to the UNIX administrator. - From the perspective of this target group the existing books serve - an adequate purpose, with one exception now that Samba-3 is out - they need to be updated! - </p><p> - This book, the <span class="emphasis"><em>Official Samba-3 HOWTO and Reference Guide</em></span>, - includes the Samba-HOWTO-Collection.pdf that ships with Samba. - These documents have been written with a new design intent and purpose. - </p><p> - Over the past two years many Microsoft network administrators have adopted - Samba and have become interested in its deployment. Their information needs - are very different from that of the UNIX administrator. This book has been - arranged and the information presented from the perspective of someone with previous - Microsoft Windows network administrative training and experience. - </p></div><div class="sect1" title="Book Structure and Layout"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id324017"></a>Book Structure and Layout</h2></div></div></div><p> - This book is presented in six parts: - </p><div class="variablelist"><dl><dt><span class="term">General Installation</span></dt><dd><p> - Designed to help you get Samba-3 running quickly. - The Fast Start chapter is a direct response to requests from - Microsoft network administrators for some sample configurations - that <span class="emphasis"><em>just work</em></span>. - </p></dd><dt><span class="term">Server Configuration Basics</span></dt><dd><p> - The purpose of this section is to aid the transition from existing - Microsoft Windows network knowledge to Samba terminology and norms. - The chapters in this part each cover the installation of one type of - Samba server. - </p></dd><dt><span class="term">Advanced Configuration</span></dt><dd><p> - The mechanics of network browsing have long been the Achilles heel of - all Microsoft Windows users. Samba-3 introduces new user and machine - account management facilities, a new way to map UNIX groups and Windows - groups, Interdomain trusts, new loadable file system drivers (VFS), and - more. New with this document is expanded printing documentation, as well - as a wealth of information regarding desktop and user policy handling, - use of desktop profiles, and techniques for enhanced network integration. - This section makes up the core of the book. Read and enjoy. - </p></dd><dt><span class="term">Migration and Updating</span></dt><dd><p> - A much requested addition to the book is information on how to migrate - from Microsoft Windows NT4 to Samba-3, as well as an overview of what the - issues are when moving from Samba-2.x to Samba-3. - </p></dd><dt><span class="term">Troubleshooting</span></dt><dd><p> - This short section should help you when all else fails. - </p></dd><dt><span class="term">Reference Section</span></dt><dd><p> - Here you will find a collection of things that are either too peripheral - for most users, or are a little left of field to be included in the - main body of information. - </p></dd></dl></div><p> -Welcome to Samba-3 and the first published document to help you and your users to enjoy a whole -new world of interoperability between Microsoft Windows and the rest of the world. -</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="TOSHpreface.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Preface </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part I. General Installation</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/NT4Migration.html b/docs/htmldocs/Samba3-HOWTO/NT4Migration.html deleted file mode 100644 index 7dad77882c..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/NT4Migration.html +++ /dev/null @@ -1,279 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 36. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba"><link rel="next" href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 36. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 36. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NT4Migration.html#id441392">Planning and Getting Started</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id441422">Objectives</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id442286">Steps in Migration Process</a></span></dt></dl></dd><dt><span class="sect1"><a href="NT4Migration.html#id442509">Migration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id442592">Planning for Success</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id441376"></a> -<a class="indexterm" name="id441383"></a> -This is a rough guide to assist those wishing to migrate from NT4 domain control to -Samba-3-based domain control. -</p><div class="sect1" title="Planning and Getting Started"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id441392"></a>Planning and Getting Started</h2></div></div></div><p> -<a class="indexterm" name="id441400"></a> -In the IT world there is often a saying that all problems are encountered because of -poor planning. The corollary to this saying is that not all problems can be anticipated -and planned for. Then again, good planning will anticipate most show-stopper-type situations. -</p><p> -<a class="indexterm" name="id441412"></a> -Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control -environment would do well to develop a detailed migration plan. So here are a few pointers to -help migration get underway. -</p><div class="sect2" title="Objectives"><div class="titlepage"><div><div><h3 class="title"><a name="id441422"></a>Objectives</h3></div></div></div><p> -<a class="indexterm" name="id441430"></a> -The key objective for most organizations is to make the migration from MS Windows NT4 -to Samba-3 domain control as painless as possible. One of the challenges you may experience -in your migration process may well be convincing management that the new environment -should remain in place. Many who have introduced open source technologies have experienced -pressure to return to a Microsoft-based platform solution at the first sign of trouble. -</p><p> -<a class="indexterm" name="id441444"></a> -Before attempting a migration to a Samba-3-controlled network, make every possible effort to -gain all-round commitment to the change. Know precisely <span class="emphasis"><em>why</em></span> the change -is important for the organization. Possible motivations to make a change include: -</p><a class="indexterm" name="id441457"></a><a class="indexterm" name="id441464"></a><a class="indexterm" name="id441471"></a><a class="indexterm" name="id441478"></a><a class="indexterm" name="id441484"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Improve network manageability.</p></li><li class="listitem"><p>Obtain better user-level functionality.</p></li><li class="listitem"><p>Reduce network operating costs.</p></li><li class="listitem"><p>Reduce exposure caused by Microsoft withdrawal of NT4 support.</p></li><li class="listitem"><p>Avoid MS License 6 implications.</p></li><li class="listitem"><p>Reduce organization's dependency on Microsoft.</p></li></ul></div><p> -<a class="indexterm" name="id441525"></a> -<a class="indexterm" name="id441532"></a> -<a class="indexterm" name="id441539"></a> -<a class="indexterm" name="id441545"></a> -<a class="indexterm" name="id441552"></a> -<a class="indexterm" name="id441559"></a> -Make sure everyone knows that Samba-3 is not MS Windows NT4. Samba-3 offers -an alternative solution that is both different from MS Windows NT4 and offers -advantages compared with it. Gain recognition that Samba-3 lacks many of the -features that Microsoft has promoted as core values in migration from MS Windows NT4 to -MS Windows 2000 and beyond (with or without Active Directory services). -</p><p> -What are the features that Samba-3 cannot provide? -</p><a class="indexterm" name="id441574"></a><a class="indexterm" name="id441581"></a><a class="indexterm" name="id441587"></a><a class="indexterm" name="id441594"></a><a class="indexterm" name="id441601"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Active Directory Server.</p></li><li class="listitem"><p>Group Policy Objects (in Active Directory).</p></li><li class="listitem"><p>Machine Policy Objects.</p></li><li class="listitem"><p>Logon Scripts in Active Directory.</p></li><li class="listitem"><p>Software Application and Access Controls in Active Directory.</p></li></ul></div><p> -The features that Samba-3 does provide and that may be of compelling interest to your site -include: -</p><a class="indexterm" name="id441639"></a><a class="indexterm" name="id441646"></a><a class="indexterm" name="id441652"></a><a class="indexterm" name="id441659"></a><a class="indexterm" name="id441666"></a><a class="indexterm" name="id441673"></a><a class="indexterm" name="id441680"></a><a class="indexterm" name="id441686"></a><a class="indexterm" name="id441693"></a><a class="indexterm" name="id441700"></a><a class="indexterm" name="id441707"></a><a class="indexterm" name="id441714"></a><a class="indexterm" name="id441720"></a><a class="indexterm" name="id441727"></a><a class="indexterm" name="id441734"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Lower cost of ownership.</p></li><li class="listitem"><p>Global availability of support with no strings attached.</p></li><li class="listitem"><p>Dynamic SMB servers (can run more than one SMB/CIFS server per UNIX/Linux system).</p></li><li class="listitem"><p>Creation of on-the-fly logon scripts.</p></li><li class="listitem"><p>Creation of on-the-fly policy files.</p></li><li class="listitem"><p>Greater stability, reliability, performance, and availability.</p></li><li class="listitem"><p>Manageability via an SSH connection.</p></li><li class="listitem"><p>Flexible choices of backend authentication technologies (tdbsam, ldapsam).</p></li><li class="listitem"><p>Ability to implement a full single-sign-on architecture.</p></li><li class="listitem"><p>Ability to distribute authentication systems for absolute minimum wide-area network bandwidth demand.</p></li></ul></div><p> -<a class="indexterm" name="id441795"></a> -Before migrating a network from MS Windows NT4 to Samba-3, consider all necessary factors. Users -should be educated about changes they may experience so the change will be a welcome one -and not become an obstacle to the work they need to do. The following sections explain factors that will -help ensure a successful migration. -</p><div class="sect3" title="Domain Layout"><div class="titlepage"><div><div><h4 class="title"><a name="id441806"></a>Domain Layout</h4></div></div></div><p> -<a class="indexterm" name="id441814"></a> -<a class="indexterm" name="id441820"></a> -<a class="indexterm" name="id441827"></a> -<a class="indexterm" name="id441834"></a> -<a class="indexterm" name="id441841"></a> -<a class="indexterm" name="id441848"></a> -<a class="indexterm" name="id441855"></a> -<a class="indexterm" name="id441861"></a> -<a class="indexterm" name="id441868"></a> -<a class="indexterm" name="id441875"></a> -<a class="indexterm" name="id441882"></a> -<a class="indexterm" name="id441888"></a> -<a class="indexterm" name="id441895"></a> -<a class="indexterm" name="id441902"></a> -<a class="indexterm" name="id441909"></a> -<a class="indexterm" name="id441916"></a> -Samba-3 can be configured as a domain controller, a backup domain controller (probably best called -a secondary controller), a domain member, or a standalone server. The Windows network security -domain context should be sized and scoped before implementation. Particular attention needs to be -paid to the location of the Primary Domain Controller (PDC) as well as backup controllers (BDCs). -One way in which Samba-3 differs from Microsoft technology is that if one chooses to use an LDAP -authentication backend, then the same database can be used by several different domains. In a -complex organization, there can be a single LDAP database, which itself can be distributed (have -a master server and multiple slave servers) that can simultaneously serve multiple domains. -</p><p> -<a class="indexterm" name="id441932"></a> -From a design perspective, the number of users per server as well as the number of servers per -domain should be scaled taking into consideration server capacity and network bandwidth. -</p><p> -<a class="indexterm" name="id441944"></a> -<a class="indexterm" name="id441951"></a> -<a class="indexterm" name="id441958"></a> -<a class="indexterm" name="id441964"></a> -<a class="indexterm" name="id441971"></a> -<a class="indexterm" name="id441978"></a> -A physical network segment may house several domains. Each may span multiple network segments. -Where domains span routed network segments, consider and test the performance implications of -the design and layout of a network. A centrally located domain controller that is designed to -serve multiple routed network segments may result in severe performance problems. Check the -response time (ping timing) between the remote segment and the PDC. If it's long (more than 100 ms), -locate a BDC on the remote segment to serve as the local authentication and access control server. -</p></div><div class="sect3" title="Server Share and Directory Layout"><div class="titlepage"><div><div><h4 class="title"><a name="id441992"></a>Server Share and Directory Layout</h4></div></div></div><p> -<a class="indexterm" name="id441999"></a> -<a class="indexterm" name="id442006"></a> -There are cardinal rules to effective network design that cannot be broken with impunity. -The most important rule: Simplicity is king in every well-controlled network. Every part of -the infrastructure must be managed; the more complex it is, the greater will be the demand -of keeping systems secure and functional. -</p><p> -<a class="indexterm" name="id442019"></a> -<a class="indexterm" name="id442026"></a> -<a class="indexterm" name="id442033"></a> -<a class="indexterm" name="id442039"></a> -<a class="indexterm" name="id442046"></a> -<a class="indexterm" name="id442053"></a> -Keep in mind the nature of how data must be shared. Physical disk space layout should be considered -carefully. Some data must be backed up. The simpler the disk layout, the easier it will be to -keep track of backup needs. Identify what backup media will meet your needs; consider backup to tape, -CD-ROM or DVD-ROM, or other offline storage medium. Plan and implement for minimum -maintenance. Leave nothing to chance in your design; above all, do not leave backups to chance: -backup, test, and validate every backup; create a disaster recovery plan and prove that it works. -</p><p> -<a class="indexterm" name="id442068"></a> -<a class="indexterm" name="id442075"></a> -<a class="indexterm" name="id442082"></a> -Users should be grouped according to data access control needs. File and directory access -is best controlled via group permissions, and the use of the <span class="quote">“<span class="quote">sticky bit</span>”</span> on group-controlled -directories may substantially avoid file access complaints from Samba share users. -</p><p> -<a class="indexterm" name="id442098"></a> -<a class="indexterm" name="id442104"></a> -<a class="indexterm" name="id442111"></a> -<a class="indexterm" name="id442118"></a> -<a class="indexterm" name="id442125"></a> -Inexperienced network administrators often attempt elaborate techniques to set access -controls on files, directories, shares, as well as in share definitions. -Keep your design and implementation simple and document your design extensively. Have others -audit your documentation. Do not create a complex mess that your successor will not understand. -Remember, job security through complex design and implementation may cause loss of operations -and downtime to users as the new administrator learns to untangle your knots. Keep access -controls simple and effective, and make sure that users will never be interrupted by obtuse -complexity. -</p></div><div class="sect3" title="Logon Scripts"><div class="titlepage"><div><div><h4 class="title"><a name="id442139"></a>Logon Scripts</h4></div></div></div><p> -<a class="indexterm" name="id442147"></a> -Logon scripts can help to ensure that all users gain the share and printer connections they need. -</p><p> -Logon scripts can be created on the fly so all commands executed are specific to the -rights and privileges granted to the user. The preferred controls should be effected through -group membership so group information can be used to create a custom logon script using -the <a class="link" href="smb.conf.5.html#ROOTPREEXEC" target="_top">root preexec</a> parameters to the <em class="parameter"><code>NETLOGON</code></em> share. -</p><p> -<a class="indexterm" name="id442182"></a> -Some sites prefer to use a tool such as <code class="literal">kixstart</code> to establish a controlled -user environment. In any case, you may wish to do a Google search for logon script process controls. -In particular, you may wish to explore the use of the Microsoft Knowledge Base article KB189105 that -deals with how to add printers without user intervention via the logon script process. -</p></div><div class="sect3" title="Profile Migration/Creation"><div class="titlepage"><div><div><h4 class="title"><a name="id442200"></a>Profile Migration/Creation</h4></div></div></div><p> -User and group profiles may be migrated using the tools described in the section titled Desktop Profile -Management. -</p><p> -<a class="indexterm" name="id442212"></a> -<a class="indexterm" name="id442218"></a> -Profiles may also be managed using the Samba-3 tool <code class="literal">profiles</code>. This tool allows the MS -Windows NT-style security identifiers (SIDs) that are stored inside the profile -<code class="filename">NTuser.DAT</code> file to be changed to the SID of the Samba-3 domain. -</p></div><div class="sect3" title="User and Group Accounts"><div class="titlepage"><div><div><h4 class="title"><a name="id442241"></a>User and Group Accounts</h4></div></div></div><p> -<a class="indexterm" name="id442249"></a> -<a class="indexterm" name="id442256"></a> -<a class="indexterm" name="id442262"></a> -<a class="indexterm" name="id442269"></a> -It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before -attempting to migrate user and group accounts, you are STRONGLY advised to create in Samba-3 the -groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to map them to -suitable UNIX/Linux groups. By following this simple advice, all user and group attributes -should migrate painlessly. -</p></div></div><div class="sect2" title="Steps in Migration Process"><div class="titlepage"><div><div><h3 class="title"><a name="id442286"></a>Steps in Migration Process</h3></div></div></div><p> -The approximate migration process is described below. -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - You have an NT4 PDC that has the users, groups, policies, and profiles to be migrated. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id442306"></a> -<a class="indexterm" name="id442313"></a> -<a class="indexterm" name="id442319"></a> - Samba-3 is set up as a domain controller with netlogon share, profile share, and so on. Configure the <code class="filename">smb.conf</code> file - to function as a BDC: <em class="parameter"><code>domain master = No</code></em>. - </p></li></ul></div><div class="procedure" title="Procedure 36.1. The Account Migration Process"><a name="id442341"></a><p class="title"><b>Procedure 36.1. The Account Migration Process</b></p><a class="indexterm" name="id442427"></a><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - <a class="indexterm" name="id442352"></a> - Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager. - <span class="emphasis"><em>Samba must not be running.</em></span> - </p></li><li class="step" title="Step 2"><p> - <a class="indexterm" name="id442370"></a> - <strong class="userinput"><code>net rpc join -S <em class="replaceable"><code>NT4PDC</code></em> -w <em class="replaceable"><code>DOMNAME</code></em> -U - Administrator%<em class="replaceable"><code>passwd</code></em></code></strong> - </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id442403"></a> - <strong class="userinput"><code>net rpc vampire -S <em class="replaceable"><code>NT4PDC</code></em> -U - administrator%<em class="replaceable"><code>passwd</code></em></code></strong> - </p></li><li class="step" title="Step 4"><p><strong class="userinput"><code>pdbedit -L</code></strong></p><p>Note: Did the users migrate?</p></li><li class="step" title="Step 5"><p> - <a class="indexterm" name="id442454"></a> - <a class="indexterm" name="id442463"></a> - Now assign each of the UNIX groups to NT groups: - (It may be useful to copy this text to a script called <code class="filename">initGroups.sh</code>) - </p><pre class="programlisting"> -#!/bin/bash -#### Keep this as a shell script for future re-use - -# First assign well known domain global groups -net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d -net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d -net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d - -# Now for our added domain global groups -net groupmap add ntgroup="Designers" unixgroup=designers type=d -net groupmap add ntgroup="Engineers" unixgroup=engineers type=d -net groupmap add ntgroup="QA Team" unixgroup=qateam type=d -</pre><p> - </p></li><li class="step" title="Step 6"><p><strong class="userinput"><code>net groupmap list</code></strong></p><p>Check that all groups are recognized. - </p></li></ol></div><p> -Migrate all the profiles, then migrate all policy files. -</p></div></div><div class="sect1" title="Migration Options"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id442509"></a>Migration Options</h2></div></div></div><p> -Sites that wish to migrate from MS Windows NT4 domain control to a Samba-based solution -generally fit into three basic categories. <a class="link" href="NT4Migration.html#majtypes" title="Table 36.1. The Three Major Site Types">Following table</a> shows the possibilities. -</p><div class="table"><a name="majtypes"></a><p class="title"><b>Table 36.1. The Three Major Site Types</b></p><div class="table-contents"><table summary="The Three Major Site Types" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Number of Users</th><th align="justify">Description</th></tr></thead><tbody><tr><td align="left">< 50</td><td align="justify"><p>Want simple conversion with no pain.</p></td></tr><tr><td align="left">50 - 250</td><td align="justify"><p>Want new features; can manage some inhouse complexity.</p></td></tr><tr><td align="left">> 250</td><td align="justify"><p>Solution/implementation must scale well; complex needs. - Cross-departmental decision process. Local expertise in most areas.</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" title="Planning for Success"><div class="titlepage"><div><div><h3 class="title"><a name="id442592"></a>Planning for Success</h3></div></div></div><p> -There are three basic choices for sites that intend to migrate from MS Windows NT4 -to Samba-3: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Simple conversion (total replacement). - </p></li><li class="listitem"><p> - Upgraded conversion (could be one of integration). - </p></li><li class="listitem"><p> - Complete redesign (completely new solution). - </p></li></ul></div><p> -Minimize downstream problems by: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Taking sufficient time. - </p></li><li class="listitem"><p> - Avoiding panic. - </p></li><li class="listitem"><p> - Testing all assumptions. - </p></li><li class="listitem"><p> - Testing the full roll-out program, including workstation deployment. - </p></li></ul></div><p><a class="link" href="NT4Migration.html#natconchoices" title="Table 36.2. Nature of the Conversion Choices">Following table</a> lists the conversion choices given the type of migration -being contemplated. -</p><div class="table"><a name="natconchoices"></a><p class="title"><b>Table 36.2. Nature of the Conversion Choices</b></p><div class="table-contents"><table summary="Nature of the Conversion Choices" border="1"><colgroup><col align="justify"><col align="justify"><col align="justify"></colgroup><thead><tr><th align="justify">Simple Install</th><th align="justify">Upgrade Decisions</th><th align="justify">Redesign Decisions</th></tr></thead><tbody><tr><td align="justify"><p>Make use of minimal OS-specific features</p></td><td align="justify"><p>Translate NT4 features to new host OS features</p></td><td align="justify"><p>Improve on NT4 functionality, enhance management capabilities</p></td></tr><tr><td align="justify"><p>Move all accounts from NT4 into Samba-3</p></td><td align="justify"><p>Copy and improve</p></td><td align="justify"><p>Authentication regime (database location and access)</p></td></tr><tr><td align="justify"><p>Make least number of operational changes</p></td><td align="justify"><p>Make progressive improvements</p></td><td align="justify"><p>Desktop management methods</p></td></tr><tr><td align="justify"><p>Take least amount of time to migrate</p></td><td align="justify"><p>Minimize user impact</p></td><td align="justify"><p>Better control of Desktops/Users</p></td></tr><tr><td align="justify"><p>Live versus isolated conversion</p></td><td align="justify"><p>Maximize functionality</p></td><td align="justify"><p>Identify Needs for: <span class="emphasis"><em>Manageability, Scalability, Security, Availability</em></span></p></td></tr><tr><td align="justify"><p>Integrate Samba-3, then migrate while users are active, then change of control (swap out)</p></td><td align="justify"><p>Take advantage of lower maintenance opportunity</p></td><td align="justify"><p></p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="Samba-3 Implementation Choices"><div class="titlepage"><div><div><h3 class="title"><a name="id442812"></a>Samba-3 Implementation Choices</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">Authentication Database/Backend</span></dt><dd><p> - Samba-3 can use an external authentication backend: - </p><p> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Winbind (external Samba or NT4/200x server).</p></li><li class="listitem"><p>External server could use Active Directory or NT4 domain.</p></li><li class="listitem"><p>Can use pam_mkhomedir.so to autocreate home directories.</p></li><li class="listitem"><p> Samba-3 can use a local authentication backend: <em class="parameter"><code>smbpasswd</code></em>, - <em class="parameter"><code>tdbsam</code></em>, <em class="parameter"><code>ldapsam</code></em> - </p></li></ul></div></dd><dt><span class="term">Access Control Points</span></dt><dd><p> - Samba permits Access Control points to be set: - </p><a class="indexterm" name="id442882"></a><a class="indexterm" name="id442889"></a><a class="indexterm" name="id442896"></a><a class="indexterm" name="id442903"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>On the share itself using share ACLs.</p></li><li class="listitem"><p>On the file system using UNIX permissions on files and directories.</p><p>Note: Can enable Posix ACLs in file system also.</p></li><li class="listitem"><p>Through Samba share parameters not recommended except as last resort.</p></li></ul></div></dd><dt><span class="term">Policies (migrate or create new ones)</span></dt><dd><p> -<a class="indexterm" name="id442948"></a> -<a class="indexterm" name="id442954"></a> - Exercise great caution when making registry changes; use the right tool and be aware - that changes made through NT4-style <code class="filename">NTConfig.POL</code> files can leave - permanent changes. -<a class="indexterm" name="id442968"></a> -<a class="indexterm" name="id442975"></a> -<a class="indexterm" name="id442982"></a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Using Group Policy Editor (NT4).</p></li><li class="listitem"><p>Watch out for tattoo effect.</p></li></ul></div></dd><dt><span class="term">User and Group Profiles</span></dt><dd><p> -<a class="indexterm" name="id443012"></a> -<a class="indexterm" name="id443019"></a> - Platform-specific, so use platform tool to change from a local to a roaming profile. - Can use new profiles tool to change SIDs (<code class="filename">NTUser.DAT</code>). - </p></dd><dt><span class="term">Logon Scripts</span></dt><dd><p> - Know how they work. - </p></dd><dt><span class="term">User and Group Mapping to UNIX/Linux</span></dt><dd><p> - <a class="indexterm" name="id443055"></a> - User and group mapping code is new. Many problems have been experienced as network administrators - who are familiar with Samba-2.2.x migrate to Samba-3. Carefully study the chapters that document - the new password backend behavior and the new group mapping functionality. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>The <em class="parameter"><code>username map</code></em> facility may be needed.</p></li><li class="listitem"><p>Use <code class="literal">net groupmap</code> to connect NT4 groups to UNIX groups.</p></li><li class="listitem"><p> - Use <code class="literal">pdbedit</code> to set/change user configuration. - </p><p> - When migrating to LDAP backend, it may be easier to dump the initial - LDAP database to LDIF, edit, then reload into LDAP. - </p></li></ul></div></dd><dt><span class="term">OS-Specific Scripts/Programs May be Needed</span></dt><dd><p> - Every operating system has its peculiarities. These are the result of engineering decisions - that were based on the experience of the designer and may have side effects that were not - anticipated. Limitations that may bite the Windows network administrator include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Add/Delete Users: Note OS limits on size of name - (Linux 8 chars, NT4 up to 254 chars).</p></li><li class="listitem"><p>Add/Delete Machines: Applied only to domain members - (Note: machine names may be limited to 16 characters).</p></li><li class="listitem"><p>Use <code class="literal">net groupmap</code> to connect NT4 groups to UNIX groups.</p></li><li class="listitem"><p>Add/Delete Groups: Note OS limits on size and nature. - Linux limit is 16 char, no spaces, and no uppercase chars (<code class="literal">groupadd</code>).</p></li></ul></div></dd><dt><span class="term">Migration Tools</span></dt><dd><p> - <a class="indexterm" name="id443163"></a> - Domain Control (NT4-Style) Profiles, Policies, Access Controls, Security - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Samba: <code class="literal">net, rpcclient, smbpasswd, pdbedit, profiles</code></p></li><li class="listitem"><p>Windows: <code class="literal">NT4 Domain User Manager, Server Manager (NEXUS)</code></p></li></ul></div></dd></dl></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Updating and Upgrading Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 37. SWAT: The Samba Web Administration Tool</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/NetCommand.html b/docs/htmldocs/Samba3-HOWTO/NetCommand.html deleted file mode 100644 index 7e2bd75b01..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/NetCommand.html +++ /dev/null @@ -1,1391 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 13. Remote and Local Management: The Net Command"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter 13. Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id367921">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id368198">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id368272">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id368421">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id369648">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369843">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369887">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369950">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id370027">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370337">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id370349">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id370687">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id371098">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id371140">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371309">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371336">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371872">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id372088">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372105">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372165">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372268">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372285">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id372323">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372354">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p> -<a class="indexterm" name="id367793"></a> -<a class="indexterm" name="id367799"></a> -<a class="indexterm" name="id367806"></a> -<a class="indexterm" name="id367813"></a> -The <code class="literal">net</code> command is one of the new features of Samba-3 and is an attempt to provide a useful -tool for the majority of remote management operations necessary for common tasks. The <code class="literal">net</code> -tool is flexible by design and is intended for command-line use as well as for scripted control application. -</p><p> -<a class="indexterm" name="id367837"></a> -<a class="indexterm" name="id367843"></a> -<a class="indexterm" name="id367850"></a> -<a class="indexterm" name="id367857"></a> -Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the -<code class="literal">net</code> command has morphed into a very powerful instrument that has become an essential part -of the Samba network administrator's toolbox. The Samba Team has introduced tools, such as -<code class="literal">smbgroupedit</code> and <code class="literal">rpcclient</code>, from which really useful capabilities have -been integrated into the <code class="literal">net</code>. The <code class="literal">smbgroupedit</code> command was absorbed -entirely into the <code class="literal">net</code>, while only some features of the <code class="literal">rpcclient</code> command -have been ported to it. Anyone who finds older references to these utilities and to the functionality they -provided should look at the <code class="literal">net</code> command before searching elsewhere. -</p><p> -A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause -the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter. -</p><div class="sect1" title="Overview"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367921"></a>Overview</h2></div></div></div><p> -<a class="indexterm" name="id367929"></a> -<a class="indexterm" name="id367936"></a> -<a class="indexterm" name="id367943"></a> -<a class="indexterm" name="id367949"></a> -<a class="indexterm" name="id367956"></a> -<a class="indexterm" name="id367962"></a> - The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a - domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the - creation of user and group accounts is essential for both a standalone server and a PDC. - In the case of a BDC or a Domain Member server (DMS), domain user and group accounts are obtained from - the central domain authentication backend. - </p><p> -<a class="indexterm" name="id367976"></a> -<a class="indexterm" name="id367983"></a> -<a class="indexterm" name="id367990"></a> -<a class="indexterm" name="id367996"></a> -<a class="indexterm" name="id368003"></a> -<a class="indexterm" name="id368010"></a> -<a class="indexterm" name="id368016"></a> -<a class="indexterm" name="id368023"></a> - Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows - networking domain global group accounts. Do you ask why? Because Samba always limits its access to - the resources of the host server by way of traditional UNIX UID and GID controls. This means that local - groups must be mapped to domain global groups so that domain users who are members of the domain - global groups can be given access rights based on UIDs and GIDs local to the server that is hosting - Samba. Such mappings are implemented using the <code class="literal">net</code> command. - </p><p> -<a class="indexterm" name="id368043"></a> -<a class="indexterm" name="id368050"></a> -<a class="indexterm" name="id368056"></a> -<a class="indexterm" name="id368063"></a> -<a class="indexterm" name="id368070"></a> -<a class="indexterm" name="id368077"></a> -<a class="indexterm" name="id368083"></a> - UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have - a machine security account in the domain authentication database (or directory). The creation of such - security (or trust) accounts is also handled using the <code class="literal">net</code> command. - </p><p> -<a class="indexterm" name="id368101"></a> -<a class="indexterm" name="id368108"></a> -<a class="indexterm" name="id368115"></a> -<a class="indexterm" name="id368121"></a> -<a class="indexterm" name="id368128"></a> -<a class="indexterm" name="id368135"></a> -<a class="indexterm" name="id368142"></a> -<a class="indexterm" name="id368149"></a> -<a class="indexterm" name="id368155"></a> - The establishment of interdomain trusts is achieved using the <code class="literal">net</code> command also, as - may a plethora of typical administrative duties such as user management, group management, share and - printer management, file and printer migration, security identifier management, and so on. - </p><p> -<a class="indexterm" name="id368173"></a> -<a class="indexterm" name="id368180"></a> - The overall picture should be clear now: the <code class="literal">net</code> command plays a central role - on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is - evidence of its importance, one that has grown in complexity to the point that it is no longer considered - prudent to cover its use fully in the online UNIX man pages. - </p></div><div class="sect1" title="Administrative Tasks and Methods"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id368198"></a>Administrative Tasks and Methods</h2></div></div></div><p> -<a class="indexterm" name="id368205"></a> -<a class="indexterm" name="id368212"></a> -<a class="indexterm" name="id368218"></a> -<a class="indexterm" name="id368228"></a> - The basic operations of the <code class="literal">net</code> command are documented here. This documentation is not - exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba - server, the emphasis is on the use of the Distributed Computing Environment Remote Procedure Call (DCE RPC) - mode of operation. When used against a server that is a member of an Active Directory domain, it is preferable - (and often necessary) to use ADS mode operations. The <code class="literal">net</code> command supports both, but not - for every operation. For most operations, if the mode is not specified, <code class="literal">net</code> will - automatically fall back via the <code class="constant">ads</code>, <code class="constant">rpc</code>, and - <code class="constant">rap</code> modes. Please refer to the man page for a more comprehensive overview of the - capabilities of this utility. - </p></div><div class="sect1" title="UNIX and Windows Group Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id368272"></a>UNIX and Windows Group Management</h2></div></div></div><p> -<a class="indexterm" name="id368280"></a> -<a class="indexterm" name="id368286"></a> -<a class="indexterm" name="id368295"></a> -<a class="indexterm" name="id368304"></a> -<a class="indexterm" name="id368312"></a> - As stated, the focus in most of this chapter is on use of the <code class="literal">net rpc</code> family of - operations that are supported by Samba. Most of them are supported by the <code class="literal">net ads</code> - mode when used in connection with Active Directory. The <code class="literal">net rap</code> operating mode is - also supported for some of these operations. RAP protocols are used by IBM OS/2 and by several - earlier SMB servers. - </p><p> -<a class="indexterm" name="id368343"></a> -<a class="indexterm" name="id368349"></a> -<a class="indexterm" name="id368356"></a> - Samba's <code class="literal">net</code> tool implements sufficient capability to permit all common administrative - tasks to be completed from the command line. In this section each of the essential user and group management - facilities are explored. - </p><p> -<a class="indexterm" name="id368374"></a> -<a class="indexterm" name="id368380"></a> -<a class="indexterm" name="id368390"></a> -<a class="indexterm" name="id368399"></a> - Samba-3 recognizes two types of groups: <span class="emphasis"><em>domain groups</em></span> and <span class="emphasis"><em>local - groups</em></span>. Domain groups can contain (have as members) only domain user accounts. Local groups - can contain local users, domain users, and domain groups as members. - </p><p> - The purpose of a local group is to permit file permission to be set for a group account that, like the - usual UNIX/Linux group, is persistent across redeployment of a Windows file server. - </p><div class="sect2" title="Adding, Renaming, or Deletion of Group Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id368421"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p> - Samba provides file and print services to Windows clients. The file system resources it makes available - to the Windows environment must, of necessity, be provided in a manner that is compatible with the - Windows networking environment. UNIX groups are created and deleted as required to serve operational - needs in the UNIX operating system and its file systems. - </p><p> - In order to make available to the Windows environment, Samba has a facility by which UNIX groups can - be mapped to a logical entity, called a Windows (or domain) group. Samba supports two types of Windows - groups, local and global. Global groups can contain as members, global users. This membership is - affected in the normal UNIX manner, but adding UNIX users to UNIX groups. Windows user accounts consist - of a mapping between a user SambaSAMAccount (logical entity) and a UNIX user account. Therefore, - a UNIX user is mapped to a Windows user (i.e., is given a Windows user account and password) and the - UNIX groups to which that user belongs, is mapped to a Windows group account. The result is that in - the Windows account environment that user is also a member of the Windows group account by virtue - of UNIX group memberships. - </p><p> - The following sub-sections that deal with management of Windows groups demonstrates the relationship - between the UNIX group account and its members to the respective Windows group accounts. It goes on to - show how UNIX group members automatically pass-through to Windows group membership as soon as a logical - mapping has been created. - </p><div class="sect3" title="Adding or Creating a New Group"><div class="titlepage"><div><div><h4 class="title"><a name="id368450"></a>Adding or Creating a New Group</h4></div></div></div><p> - Before attempting to add a Windows group account, the currently available groups can be listed as shown - here: -<a class="indexterm" name="id368459"></a> -<a class="indexterm" name="id368470"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group list -Uroot%not24get -Password: -Domain Admins -Domain Users -Domain Guests -Print Operators -Backup Operators -Replicator -Domain Computers -Engineers -</pre><p> - </p><p> - A Windows group account called <span class="quote">“<span class="quote">SupportEngrs</span>”</span> can be added by executing the following -command: -<a class="indexterm" name="id368504"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group add "SupportEngrs" -Uroot%not24get -</pre><p> - The addition will result in immediate availability of the new group account as validated by executing -this command: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group list -Uroot%not24get -Password: -Domain Admins -Domain Users -Domain Guests -Print Operators -Backup Operators -Replicator -Domain Computers -Engineers -SupportEngrs -</pre><p> - </p><p> -<a class="indexterm" name="id368543"></a> -<a class="indexterm" name="id368550"></a> -<a class="indexterm" name="id368557"></a> - The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling - the <a class="link" href="smb.conf.5.html#ADDGROUPSCRIPT" target="_top">add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</a> interface - script: -</p><pre class="screen"> -<code class="prompt">root# </code> getent group -... -Domain Admins:x:512:root -Domain Users:x:513:jht,lct,ajt,met -Domain Guests:x:514: -Print Operators:x:550: -Backup Operators:x:551: -Replicator:x:552: -Domain Computers:x:553: -Engineers:x:1002:jht -SupportEngrs:x:1003: -</pre><p> - The following demonstrates that the use of the <code class="literal">net</code> command to add a group account -results in immediate mapping of the POSIX group that has been created to the Windows group account as shown -here: -<a class="indexterm" name="id368597"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net groupmap list -Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins -Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users -Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests -Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators -Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators -Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator -Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers -Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers -SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs -</pre><p> - </p></div><div class="sect3" title="Mapping Windows Groups to UNIX Groups"><div class="titlepage"><div><div><h4 class="title"><a name="id368629"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p> -<a class="indexterm" name="id368637"></a> -<a class="indexterm" name="id368644"></a> -<a class="indexterm" name="id368651"></a> -<a class="indexterm" name="id368658"></a> - Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls - can be asserted in a manner that is consistent with the methods appropriate to the operating - system that is hosting the Samba server. - </p><p> -<a class="indexterm" name="id368670"></a> -<a class="indexterm" name="id368676"></a> -<a class="indexterm" name="id368683"></a> -<a class="indexterm" name="id368690"></a> - All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is - hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override - or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that - access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group - account. The user account must also map to a locally known UID. Note that the <code class="literal">net</code> - command does not call any RPC-functions here but directly accesses the passdb. - </p><p> -<a class="indexterm" name="id368710"></a> -<a class="indexterm" name="id368717"></a> -<a class="indexterm" name="id368724"></a> -<a class="indexterm" name="id368731"></a> -<a class="indexterm" name="id368737"></a> -<a class="indexterm" name="id368744"></a> -<a class="indexterm" name="id368751"></a> - Samba depends on default mappings for the <code class="constant">Domain Admins, Domain Users</code>, and - <code class="constant">Domain Guests</code> global groups. Additional groups may be added as shown in the - examples just given. There are times when it is necessary to map an existing UNIX group account - to a Windows group. This operation, in effect, creates a Windows group account as a consequence - of creation of the mapping. - </p><p> -<a class="indexterm" name="id368771"></a> -<a class="indexterm" name="id368783"></a> -<a class="indexterm" name="id368794"></a> - The operations that are permitted include: <code class="constant">add</code>, <code class="constant">modify</code>, - and <code class="constant">delete</code>. An example of each operation is shown here. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Commencing with Samba-3.0.23 Windows Domain Groups must be explicitly created. By default, all - UNIX groups are exposed to Windows networking as Windows local groups. - </p></div><p> - An existing UNIX group may be mapped to an existing Windows group by this example: -</p><pre class="screen"> -<code class="prompt">root# </code> net groupmap modify ntgroup="Domain Users" unixgroup=users -</pre><p> - An existing UNIX group may be mapped to a new Windows group as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d -</pre><p> - Supported mapping types are 'd' (domain global) and 'l' (domain local). - A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by - executing these commands: -</p><pre class="screen"> -<code class="prompt">root# </code> net groupmap delete ntgroup=Engineers -<code class="prompt">root# </code> net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d -</pre><p> - The deletion and addition operations affected only the logical entities known as Windows groups, or domain - groups. These operations are inert to UNIX system groups, meaning that they neither delete nor create UNIX - system groups. The mapping of a UNIX group to a Windows group makes the UNIX group available as Windows - groups so that files and folders on domain member clients (workstations and servers) can be given - domain-wide access controls for domain users and groups. - </p><p> - Two types of Windows groups can be created: <code class="constant">domain (global)</code> and <code class="constant">local</code>. - In the previous examples the Windows groups created were of type <code class="constant">domain</code> or global. The - following command will create a Windows group of type <code class="constant">local</code>. -</p><pre class="screen"> -<code class="prompt">root# </code> net groupmap add ntgroup=Pixies unixgroup=pixies type=l -</pre><p> - Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is - treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple - nested group support. - </p></div><div class="sect3" title="Deleting a Group Account"><div class="titlepage"><div><div><h4 class="title"><a name="id368910"></a>Deleting a Group Account</h4></div></div></div><p> -<a class="indexterm" name="id368918"></a> - A group account may be deleted by executing the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group delete SupportEngineers -Uroot%not24get -</pre><p> - </p><p> - Validation of the deletion is advisable. The same commands may be executed as shown above. - </p></div><div class="sect3" title="Rename Group Accounts"><div class="titlepage"><div><div><h4 class="title"><a name="id368948"></a>Rename Group Accounts</h4></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - This command is not documented in the man pages; it is implemented in the source code, but it does not - work at this time. The example given documents, from the source code, how it should work. Watch the - release notes of a future release to see when this may have been fixed. - </p></div><p> - Sometimes it is necessary to rename a group account. Good administrators know how painful some managers' - demands can be if this simple request is ignored. The following command demonstrates how the Windows group - <span class="quote">“<span class="quote">SupportEngrs</span>”</span> can be renamed to <span class="quote">“<span class="quote">CustomerSupport</span>”</span>: -<a class="indexterm" name="id368972"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group rename SupportEngrs \ - CustomerSupport -Uroot%not24get -</pre><p> - </p></div></div><div class="sect2" title="Manipulating Group Memberships"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p> - Three operations can be performed regarding group membership. It is possible to (1) add Windows users - to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are - members of a Windows group. - </p><p> - To avoid confusion, it makes sense to check group membership before attempting to make any changes. - The <code class="literal">getent group</code> will list UNIX/Linux group membership. UNIX/Linux group members are - seen also as members of a Windows group that has been mapped using the <code class="literal">net groupmap</code> - command (see <a class="link" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">“Group Mapping: MS Windows and UNIX”</a>). The following list of UNIX/Linux group membership shows - that the user <code class="constant">ajt</code> is a member of the UNIX/Linux group <code class="constant">Engineers</code>. -</p><pre class="screen"> -<code class="prompt">root# </code> getent group -... -Domain Admins:x:512:root -Domain Users:x:513:jht,lct,ajt,met,vlendecke -Domain Guests:x:514: -Print Operators:x:550: -Backup Operators:x:551: -Replicator:x:552: -Domain Computers:x:553: -Engineers:x:1000:jht,ajt -</pre><p> - The UNIX/Linux groups have been mapped to Windows groups, as is shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net groupmap list -Domain Admins (S-1-5-21-72630-412605-116429-512) -> Domain Admins -Domain Users (S-1-5-21-72630-412605-116429-513) -> Domain Users -Domain Guests (S-1-5-21-72630-412605-116429-514) -> Domain Guests -Print Operators (S-1-5-21-72630-412605-116429-550) -> Print Operators -Backup Operators (S-1-5-21-72630-412605-116429-551) -> Backup Operators -Replicator (S-1-5-21-72630-412605-116429-552) -> Replicator -Domain Computers (S-1-5-21-72630-412605-116429-553) -> Domain Computers -Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers -</pre><p> - </p><p> - Given that the user <code class="constant">ajt</code> is already a member of the UNIX/Linux group and, via the - group mapping, a member of the Windows group, an attempt to add this account again should fail. This is - demonstrated here: -<a class="indexterm" name="id369083"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get -Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP -</pre><p> - This shows that the group mapping between UNIX/Linux groups and Windows groups is effective and - transparent. - </p><p> - To permit the user <code class="constant">ajt</code> to be added using the <code class="literal">net rpc group</code> utility, - this account must first be removed. The removal and confirmation of its effect is shown here: -<a class="indexterm" name="id369121"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get -<code class="prompt">root# </code> getent group Engineers -Engineers:x:1000:jht -<code class="prompt">root# </code> net rpc group members Engineers -Uroot%not24get -MIDEARTH\jht -</pre><p> - In this example both at the UNIX/Linux system level, the group no longer has the <code class="constant">ajt</code> - as a member. The above also shows this to be the case for Windows group membership. - </p><p> - The account is now added again, using the <code class="literal">net rpc group</code> utility: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get -<code class="prompt">root# </code> getent group Engineers -Engineers:x:1000:jht,ajt -<code class="prompt">root# </code> net rpc group members Engineers -Uroot%not24get -MIDEARTH\jht -MIDEARTH\ajt -</pre><p> - </p><p> - In this example the members of the Windows <code class="constant">Domain Users</code> account are validated using - the <code class="literal">net rpc group</code> utility. Note the this contents of the UNIX/Linux group was shown - four paragraphs earlier. The Windows (domain) group membership is shown here: -<a class="indexterm" name="id369211"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group members "Domain Users" -Uroot%not24get -MIDEARTH\jht -MIDEARTH\lct -MIDEARTH\ajt -MIDEARTH\met -MIDEARTH\vlendecke -</pre><p> - This express example shows that Windows group names are treated by Samba (as with - MS Windows) in a case-insensitive manner: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group members "DomAiN USerS" -Uroot%not24get -MIDEARTH\jht -MIDEARTH\lct -MIDEARTH\ajt -MIDEARTH\met -MIDEARTH\vlendecke -</pre><p> - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - An attempt to specify the group name as <code class="constant">MIDEARTH\Domain Users</code> in place of - just simply <code class="constant">Domain Users</code> will fail. The default behavior of the net rpc group - is to direct the command at the local machine. The Windows group is treated as being local to the machine. - If it is necessary to query another machine, its name can be specified using the <code class="constant">-S - servername</code> parameter to the <code class="literal">net</code> command. - </p></div></div><div class="sect2" title="Nested Group Support"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p> - It is possible in Windows (and now in Samba also) to create a local group that has members (contains), - domain users, and domain global groups. Creation of the local group <code class="constant">demo</code> is - achieved by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group add demo -L -S MORDON -Uroot%not24get -</pre><p> - The -L switch means create a local group. Use the -S argument to direct the operation to a particular - server. The parameters to the -U argument should be for a user who has appropriate administrative right - and privileges on the machine. - </p><p> - Addition and removal of group members can be achieved using the <code class="constant">addmem</code> and - <code class="constant">delmem</code> subcommands of <code class="literal">net rpc group</code> command. For example, - addition of <span class="quote">“<span class="quote">DOM\Domain Users</span>”</span> to the local group <code class="constant">demo</code> would be - done by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group addmem demo "DOM\Domain Users" -Uroot%not24get -</pre><p> - </p><p> - The members of a nested group can be listed by executing the following: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group members demo -Uroot%not24get -DOM\Domain Users -DOM\Engineers -DOM\jamesf -DOM\jht -</pre><p> - </p><p> - Nested group members can be removed (deleted) as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group delmem demo "DOM\jht" -Uroot%not24get -</pre><p> - </p><div class="sect3" title="Managing Nest Groups on Workstations from the Samba Server"><div class="titlepage"><div><div><h4 class="title"><a name="id369374"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p> - Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone - administrative rights on their own workstation. This is of course a very bad practice, but commonly done - to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC: -<a class="indexterm" name="id369385"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc group addmem "Administrators" "Domain Users" \ - -S WINPC032 -Uadministrator%secret -</pre><p> - </p><p> - This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows - workstation. Here is a simple example that shows how this can be done. - </p><div class="procedure" title="Procedure 13.1. Automating User Addition to the Workstation Power Users Group"><a name="id369414"></a><p class="title"><b>Procedure 13.1. Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen"> -#!/bin/bash - -/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" \ - -UAdministrator%secret -S $2 - -exit 0 -</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example 13.2. A Magic Netlogon Share</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id369563"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id369574"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id369586"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id369598"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id369609"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Create the script shown in <a class="link" href="NetCommand.html#autopoweruserscript" title="Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group">“Script to Auto-add Domain Users to Workstation Power Users Group”</a> and locate it in - the directory <code class="filename">/etc/samba/scripts</code>, named as <code class="filename">autopoweruser.sh</code>. -<a class="indexterm" name="id369445"></a> -<a class="indexterm" name="id369456"></a> -<a class="indexterm" name="id369463"></a> - </p></li><li class="step" title="Step 2"><p> - Set the permissions on this script to permit it to be executed as part of the logon process: -</p><pre class="screen"> -<code class="prompt">root# </code> chown root:root /etc/samba/autopoweruser.sh -<code class="prompt">root# </code> chmod 755 /etc/samba/autopoweruser.sh -</pre><p> - </p></li><li class="step" title="Step 3"><p> - Modify the <code class="filename">smb.conf</code> file so the <code class="literal">NETLOGON</code> stanza contains the parameters - shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example 13.2. A Magic Netlogon Share">the Netlogon Example smb.conf file</a> as shown. - </p></li><li class="step" title="Step 4"><p> - Ensure that every Windows workstation Administrator account has the same password that you - have used in the script shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example 13.2. A Magic Netlogon Share">the Netlogon Example smb.conf - file</a> - </p></li></ol></div><p> - This script will be executed every time a user logs on to the network. Therefore every user will - have local Windows workstation management rights. This could of course be assigned using a group, - in which case there is little justification for the use of this procedure. The key justification - for the use of this method is that it will guarantee that all users have appropriate rights on - the workstation. - </p></div></div></div><div class="sect1" title="UNIX and Windows User Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id369648"></a>UNIX and Windows User Management</h2></div></div></div><p> -<a class="indexterm" name="id369656"></a> -<a class="indexterm" name="id369662"></a> -<a class="indexterm" name="id369669"></a> -<a class="indexterm" name="id369675"></a> -<a class="indexterm" name="id369682"></a> -<a class="indexterm" name="id369689"></a> -<a class="indexterm" name="id369696"></a> -<a class="indexterm" name="id369703"></a> - Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact, - the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either - from a system (POSIX) account or from a pool (range) of UID numbers that is set aside for the purpose - of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a - particular user will be allocated by <code class="literal">winbindd</code>. - </p><p> - Although this is not the appropriate place to discuss the <a class="link" href="smb.conf.5.html#USERNAMEMAP" target="_top">username map</a> facility, - this interface is an important method of mapping a Windows user account to a UNIX account that has a - different name. Refer to the man page for the <code class="filename">smb.conf</code> file for more information regarding this - facility. User name mappings cannot be managed using the <code class="literal">net</code> utility. - </p><div class="sect2" title="Adding User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="sbeuseraddn"></a>Adding User Accounts</h3></div></div></div><p> - The syntax for adding a user account via the <code class="literal">net</code> (according to the man page) is shown - here: -</p><pre class="screen"> -net [<method>] user ADD <name> [-c container] [-F user flags] \ - [misc. options] [targets] -</pre><p> - The user account password may be set using this syntax: -</p><pre class="screen"> -net rpc password <username> [<password>] -Uadmin_username%admin_pass -</pre><p> - </p><p> - The following demonstrates the addition of an account to the server <code class="constant">FRODO</code>: -<a class="indexterm" name="id369787"></a> -<a class="indexterm" name="id369798"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc user add jacko -S FRODO -Uroot%not24get -Added user jacko -</pre><p> - The account password can be set with the following methods (all show the same operation): -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc password jacko f4sth0rse -S FRODO -Uroot%not24get -<code class="prompt">root# </code> net rpc user password jacko f4sth0rse \ - -S FRODO -Uroot%not24get -</pre><p> - </p></div><div class="sect2" title="Deletion of User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id369843"></a>Deletion of User Accounts</h3></div></div></div><p> - Deletion of a user account can be done using the following syntax: -</p><pre class="screen"> -net [<method>] user DELETE <name> [misc. options] [targets] -</pre><p> - The following command will delete the user account <code class="constant">jacko</code>: -<a class="indexterm" name="id369862"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc user delete jacko -Uroot%not24get -Deleted user account -</pre><p> - </p></div><div class="sect2" title="Managing User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id369887"></a>Managing User Accounts</h3></div></div></div><p> - Two basic user account operations are routinely used: change of password and querying which groups a user - is a member of. The change of password operation is shown in <a class="link" href="NetCommand.html#sbeuseraddn" title="Adding User Accounts">“Adding User Accounts”</a>. - </p><p> - The ability to query Windows group membership can be essential. Here is how a remote server may be - interrogated to find which groups a user is a member of: -<a class="indexterm" name="id369908"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc user info jacko -S SAURON -Uroot%not24get -net rpc user info jacko -S SAURON -Uroot%not24get -Domain Users -Domain Admins -Engineers -TorridGroup -BOP Shop -Emergency Services -</pre><p> - </p><p> - It is also possible to rename user accounts: -<a class="indexterm" name="id369935"></a>oldusername newusername - Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on - Windows Servers. - - </p></div><div class="sect2" title="User Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id369950"></a>User Mapping</h3></div></div></div><p> -<a class="indexterm" name="id369957"></a> -<a class="indexterm" name="id369964"></a> -<a class="indexterm" name="id369971"></a> - In some situations it is unavoidable that a user's Windows logon name will differ from the login ID - that user has on the Samba server. It is possible to create a special file on the Samba server that - will permit the Windows user name to be mapped to a different UNIX/Linux user name. The <code class="filename">smb.conf</code> - file must also be amended so that the <code class="constant">[global]</code> stanza contains the parameter: -</p><pre class="screen"> -username map = /etc/samba/smbusers -</pre><p> - The content of the <code class="filename">/etc/samba/smbusers</code> file is shown here: -</p><pre class="screen"> -parsonsw: "William Parsons" -marygee: geeringm -</pre><p> - In this example the Windows user account <span class="quote">“<span class="quote">William Parsons</span>”</span> will be mapped to the UNIX user - <code class="constant">parsonsw</code>, and the Windows user account <span class="quote">“<span class="quote">geeringm</span>”</span> will be mapped to the - UNIX user <code class="constant">marygee</code>. - </p></div></div><div class="sect1" title="Administering User Rights and Privileges"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370027"></a>Administering User Rights and Privileges</h2></div></div></div><p> -<a class="indexterm" name="id370035"></a> -<a class="indexterm" name="id370042"></a> -<a class="indexterm" name="id370049"></a> -<a class="indexterm" name="id370056"></a> -<a class="indexterm" name="id370062"></a> - With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could - manage users, groups, shares, printers, and such was the <code class="constant">root</code> account. This caused - problems for some users and was a frequent source of scorn over the necessity to hand out the - credentials for the most security-sensitive account on a UNIX/Linux system. - </p><p> -<a class="indexterm" name="id370079"></a> -<a class="indexterm" name="id370086"></a> -<a class="indexterm" name="id370093"></a> -<a class="indexterm" name="id370100"></a> -<a class="indexterm" name="id370106"></a> - New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either - a normal user or to groups of users. The significance of the administrative privileges is documented - in <a class="link" href="rights.html" title="Chapter 15. User Rights and Privileges">“User Rights and Privileges”</a>. Examples of use of the <code class="literal">net</code> for user rights and privilege - management is appropriate to this chapter. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - When user rights and privileges are correctly set, there is no longer a need for a Windows - network account for the <code class="constant">root</code> user (nor for any synonym of it) with a UNIX UID=0. - Initial user rights and privileges can be assigned by any account that is a member of the <code class="constant"> - Domain Admins</code> group. Rights can be assigned to user as well as group accounts. - </p></div><p> - By default, no privileges and rights are assigned. This is demonstrated by executing the command - shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get -BUILTIN\Print Operators -No privileges assigned - -BUILTIN\Account Operators -No privileges assigned - -BUILTIN\Backup Operators -No privileges assigned - -BUILTIN\Server Operators -No privileges assigned - -BUILTIN\Administrators -No privileges assigned - -Everyone -No privileges assigned -</pre><p> - </p><p> - The <code class="literal">net</code> command can be used to obtain the currently supported capabilities for rights - and privileges using this method: -<a class="indexterm" name="id370170"></a> -<a class="indexterm" name="id370177"></a> -<a class="indexterm" name="id370184"></a> -<a class="indexterm" name="id370190"></a> -<a class="indexterm" name="id370197"></a> -<a class="indexterm" name="id370204"></a> -<a class="indexterm" name="id370211"></a> -<a class="indexterm" name="id370218"></a> -<a class="indexterm" name="id370225"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc rights list -U root%not24get - SeMachineAccountPrivilege Add machines to domain - SePrintOperatorPrivilege Manage printers - SeAddUsersPrivilege Add users and groups to the domain - SeRemoteShutdownPrivilege Force shutdown from a remote system - SeDiskOperatorPrivilege Manage disk shares - SeBackupPrivilege Back up files and directories - SeRestorePrivilege Restore files and directories - SeTakeOwnershipPrivilege Take ownership of files or other objects -</pre><p> - Machine account privilege is necessary to permit a Windows NT4 or later network client to be added to the - domain. The disk operator privilege is necessary to permit the user to manage share ACLs and file and - directory ACLs for objects not owned by the user. - </p><p> - In this example, all rights are assigned to the <code class="constant">Domain Admins</code> group. This is a good - idea since members of this group are generally expected to be all-powerful. This assignment makes that - the reality: -<a class="indexterm" name="id370262"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\Domain Admins" \ - SeMachineAccountPrivilege SePrintOperatorPrivilege \ - SeAddUsersPrivilege SeRemoteShutdownPrivilege \ - SeDiskOperatorPrivilege -U root%not24get -Successfully granted rights. -</pre><p> - Next, the domain user <code class="constant">jht</code> is given the privileges needed for day-to-day - administration: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\jht" \ - SeMachineAccountPrivilege SePrintOperatorPrivilege \ - SeAddUsersPrivilege SeDiskOperatorPrivilege \ - -U root%not24get -Successfully granted rights. -</pre><p> - </p><p> - The following step permits validation of the changes just made: -<a class="indexterm" name="id370308"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get -MIDEARTH\jht -SeMachineAccountPrivilege -SePrintOperatorPrivilege -SeAddUsersPrivilege -SeDiskOperatorPrivilege - -BUILTIN\Print Operators -No privileges assigned - -BUILTIN\Account Operators -No privileges assigned - -BUILTIN\Backup Operators -No privileges assigned - -BUILTIN\Server Operators -No privileges assigned - -BUILTIN\Administrators -No privileges assigned - -Everyone -No privileges assigned - -MIDEARTH\Domain Admins -SeMachineAccountPrivilege -SePrintOperatorPrivilege -SeAddUsersPrivilege -SeRemoteShutdownPrivilege -SeDiskOperatorPrivilege -</pre><p> - </p></div><div class="sect1" title="Managing Trust Relationships"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370337"></a>Managing Trust Relationships</h2></div></div></div><p> - There are essentially two types of trust relationships: the first is between domain controllers and domain - member machines (network clients), the second is between domains (called interdomain trusts). All - Samba servers that participate in domain security require a domain membership trust account, as do like - Windows NT/200x/XP workstations. - </p><div class="sect2" title="Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id370349"></a>Machine Trust Accounts</h3></div></div></div><p> - The net command looks in the <code class="filename">smb.conf</code> file to obtain its own configuration settings. Thus, the following - command 'knows' which domain to join from the <code class="filename">smb.conf</code> file. - </p><p> - A Samba server domain trust account can be validated as shown in this example: -<a class="indexterm" name="id370374"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc testjoin -Join to 'MIDEARTH' is OK -</pre><p> - Where there is no domain membership account, or when the account credentials are not valid, the following - results will be observed: -</p><pre class="screen"> -net rpc testjoin -S DOLPHIN -Join to domain 'WORLDOCEAN' is not valid -</pre><p> - </p><p> - The equivalent command for joining a Samba server to a Windows ADS domain is shown here: -<a class="indexterm" name="id370409"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net ads testjoin -Using short domain name -- TAKEAWAY -Joined 'LEMONADE' to realm 'TAKEAWAY.BIZ' -</pre><p> - In the event that the ADS trust was not established, or is broken for one reason or another, the following - error message may be obtained: -</p><pre class="screen"> -<code class="prompt">root# </code> net ads testjoin -UAdministrator%secret -Join to domain is not valid -</pre><p> - </p><p> - The following demonstrates the process of creating a machine trust account in the target domain for the - Samba server from which the command is executed: -<a class="indexterm" name="id370450"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc join -S FRODO -Uroot%not24get -Joined domain MIDEARTH. -</pre><p> - The joining of a Samba server to a Samba domain results in the creation of a machine account. An example - of this is shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -Lw merlin\$ -merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\ -176D8C554E99914BDF3407DEA2231D80:[S ]:LCT-42891919: -</pre><p> - The S in the square brackets means this is a server (PDC/BDC) account. The domain join can be cast to join - purely as a workstation, in which case the S is replaced with a W (indicating a workstation account). The - following command can be used to affect this: -<a class="indexterm" name="id370488"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc join member -S FRODO -Uroot%not24get -Joined domain MIDEARTH. -</pre><p> - Note that the command-line parameter <code class="constant">member</code> makes this join specific. By default - the type is deduced from the <code class="filename">smb.conf</code> file configuration. To specifically join as a PDC or BDC, the - command-line parameter will be <code class="constant">[PDC | BDC]</code>. For example: -<a class="indexterm" name="id370526"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc join bdc -S FRODO -Uroot%not24get -Joined domain MIDEARTH. -</pre><p> - It is best to let Samba figure out the domain join type from the settings in the <code class="filename">smb.conf</code> file. - </p><p> - The command to join a Samba server to a Windows ADS domain is shown here: -<a class="indexterm" name="id370560"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net ads join -UAdministrator%not24get -Using short domain name -- GDANSK -Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ' -</pre><p> - </p><p> - There is no specific option to remove a machine account from an NT4 domain. When a domain member that is a - Windows machine is withdrawn from the domain, the domain membership account is not automatically removed - either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the - machine account can be removed using the following <code class="literal">net</code> command: -<a class="indexterm" name="id370596"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc user delete HERRING\$ -Uroot%not24get -Deleted user account. -</pre><p> - The removal is made possible because machine accounts are just like user accounts with a trailing $ - character. The account management operations treat user and machine accounts in like manner. - </p><p> - A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the - domain: -<a class="indexterm" name="id370625"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net ads leave -</pre><p> - </p><p> - Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the - following: -<a class="indexterm" name="id370651"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net ads status -</pre><p> - The volume of information is extensive. Please refer to the book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span>, - Chapter 7 for more information regarding its use. This book may be obtained either in print or online from - the <a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by Example</a>. - </p></div><div class="sect2" title="Interdomain Trusts"><div class="titlepage"><div><div><h3 class="title"><a name="id370687"></a>Interdomain Trusts</h3></div></div></div><p> - Interdomain trust relationships form the primary mechanism by which users from one domain can be granted - access rights and privileges in another domain. - </p><p> - To discover what trust relationships are in effect, execute this command: -<a class="indexterm" name="id370700"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get -Trusted domains list: - -none - -Trusting domains list: - -none -</pre><p> - There are no interdomain trusts at this time; the following steps will create them. - </p><p> - It is necessary to create a trust account in the local domain. A domain controller in a second domain can - create a trusted connection with this account. That means that the foreign domain is being trusted - to access resources in the local domain. This command creates the local trust account: -<a class="indexterm" name="id370730"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom add DAMNATION f00db4r -Uroot%not24get -</pre><p> - The account can be revealed by using the <code class="literal">pdbedit</code> as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -Lw DAMNATION\$ -DAMNATION$:1016:9AC1F121DF897688AAD3B435B51404EE: \ -7F845808B91BB9F7FEF44B247D9DC9A6:[I ]:LCT-428934B1: -</pre><p> - A trust account will always have an I in the field within the square brackets. - </p><p> - If the trusting domain is not capable of being reached, the following command will fail: -<a class="indexterm" name="id370777"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get -Trusted domains list: - -none - -Trusting domains list: - -DAMNATION S-1-5-21-1385457007-882775198-1210191635 -</pre><p> - The above command executed successfully; a failure is indicated when the following response is obtained: -</p><pre class="screen"> -net rpc trustdom list -Uroot%not24get -Trusted domains list: - -DAMNATION S-1-5-21-1385457007-882775198-1210191635 - -Trusting domains list: - -DAMNATION domain controller is not responding -</pre><p> - </p><p> - Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with) - the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This - command achieves the objective of joining the trust relationship: -<a class="indexterm" name="id370815"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom establish DAMNATION -Password: xxxxxxx == f00db4r -Could not connect to server TRANSGRESSION -Trust to domain DAMNATION established -</pre><p> - Validation of the two-way trust now established is possible as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get -Trusted domains list: - -DAMNATION S-1-5-21-1385457007-882775198-1210191635 - -Trusting domains list: - -DAMNATION S-1-5-21-1385457007-882775198-1210191635 -</pre><p> - </p><p> - Sometimes it is necessary to remove the ability for local users to access a foreign domain. The trusting - connection can be revoked as shown here: -<a class="indexterm" name="id370857"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom revoke DAMNATION -Uroot%not24get -</pre><p> - At other times it becomes necessary to remove the ability for users from a foreign domain to be able to - access resources in the local domain. The command shown here will do that: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc trustdom del DAMNATION -Uroot%not24get -</pre><p> - - </p></div></div><div class="sect1" title="Managing Security Identifiers (SIDS)"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id370896"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p> -<a class="indexterm" name="id370904"></a> -<a class="indexterm" name="id370911"></a> -<a class="indexterm" name="id370918"></a> -<a class="indexterm" name="id370924"></a> -<a class="indexterm" name="id370931"></a> - The basic security identifier that is used by all Windows networking operations is the Windows security - identifier (SID). All Windows network machines (servers and workstations), users, and groups are - identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that - are specific to the SID of the domain to which the user belongs. - </p><p> -<a class="indexterm" name="id370945"></a> -<a class="indexterm" name="id370951"></a> -<a class="indexterm" name="id370958"></a> -<a class="indexterm" name="id370965"></a> - It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because - a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you - have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of - having to recover user desktop profiles and perhaps rejoin all member machines to the domain. - </p><p> - First, do not forget to store the local SID in a file. It is a good idea to put this in the directory - in which the <code class="filename">smb.conf</code> file is also stored. Here is a simple action to achieve this: -<a class="indexterm" name="id370986"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net getlocalsid > /etc/samba/my-sid -</pre><p> - Good, there is now a safe copy of the local machine SID. On a PDC/BDC this is the domain SID also. - </p><p> - The following command reveals what the former one should have placed into the file called - <code class="filename">my-sid</code>: -</p><pre class="screen"> -<code class="prompt">root# </code> net getlocalsid -SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429 -</pre><p> - </p><p> - If ever it becomes necessary to restore the SID that has been stored in the <code class="filename">my-sid</code> - file, simply copy the SID (the string of characters that begins with <code class="constant">S-1-5-21</code>) to - the command line shown here: -<a class="indexterm" name="id371043"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635 -</pre><p> - Restoration of a machine SID is a simple operation, but the absence of a backup copy can be very - problematic. - </p><p> - The following operation is useful only for machines that are being configured as a PDC or a BDC. - DMS and workstation clients should have their own machine SID to avoid - any potential namespace collision. Here is the way that the BDC SID can be synchronized to that - of the PDC (this is the default NT4 domain practice also): -<a class="indexterm" name="id371071"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc getsid -S FRODO -Uroot%not24get -Storing SID S-1-5-21-726309263-4128913605-1168186429 \ - for Domain MIDEARTH in secrets.tdb -</pre><p> - Usually it is not necessary to specify the target server (-S FRODO) or the administrator account - credentials (-Uroot%not24get). - </p></div><div class="sect1" title="Share Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id371098"></a>Share Management</h2></div></div></div><p> - Share management is central to all file serving operations. Typical share operations include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Creation/change/deletion of shares</p></li><li class="listitem"><p>Setting/changing ACLs on shares</p></li><li class="listitem"><p>Moving shares from one server to another</p></li><li class="listitem"><p>Change of permissions of share contents</p></li></ul></div><p> - Each of these are dealt with here insofar as they involve the use of the <code class="literal">net</code> - command. Operations outside of this command are covered elsewhere in this document. - </p><div class="sect2" title="Creating, Editing, and Removing Shares"><div class="titlepage"><div><div><h3 class="title"><a name="id371140"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p> - A share can be added using the <code class="literal">net rpc share</code> command capabilities. - The target machine may be local or remote and is specified by the -S option. It must be noted - that the addition and deletion of shares using this tool depends on the availability of a suitable - interface script. The interface scripts Sambas <code class="literal">smbd</code> uses are called - <a class="link" href="smb.conf.5.html#ADDSHARECOMMAND" target="_top">add share command</a>, <a class="link" href="smb.conf.5.html#DELETESHARECOMMAND" target="_top">delete share command</a> and - <a class="link" href="smb.conf.5.html#CHANGESHARECOMMAND" target="_top">change share command</a>. A set of example scripts are provided in the Samba source - code tarball in the directory <code class="filename">~samba/examples/scripts</code>. - </p><p> - The following steps demonstrate the use of the share management capabilities of the <code class="literal">net</code> - utility. In the first step a share called <code class="constant">Bulge</code> is added. The sharepoint within the - file system is the directory <code class="filename">/data</code>. The command that can be executed to perform the - addition of this share is shown here: -<a class="indexterm" name="id371223"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share add Bulge=/data -S MERLIN -Uroot%not24get -</pre><p> - Validation is an important process, and by executing the command <code class="literal">net rpc share</code> - with no other operators it is possible to obtain a listing of available shares, as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share -S MERLIN -Uroot%not24get -profdata -archive -Bulge <--- This one was added -print$ -netlogon -profiles -IPC$ -kyocera -ADMIN$ -</pre><p> - </p><p> - Often it is desirable also to permit a share to be removed using a command-line tool. - The following step permits the share that was previously added to be removed: -<a class="indexterm" name="id371271"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share delete Bulge -S MERLIN -Uroot%not24get -</pre><p> - A simple validation shown here demonstrates that the share has been removed: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share -S MERLIN -Uroot%not24get -profdata -archive -print$ -netlogon -profiles -IPC$ -ADMIN$ -kyocera -</pre><p> - </p></div><div class="sect2" title="Creating and Changing Share ACLs"><div class="titlepage"><div><div><h3 class="title"><a name="id371309"></a>Creating and Changing Share ACLs</h3></div></div></div><p> - At this time the <code class="literal">net</code> tool cannot be used to manage ACLs on Samba shares. In MS Windows - language this is called Share Permissions. - </p><p> - It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager - or using the Computer Management MMC snap-in. Neither is covered here, - but see <a class="link" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">“File, Directory, and Share Access Controls”</a>. - </p></div><div class="sect2" title="Share, Directory, and File Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id371336"></a>Share, Directory, and File Migration</h3></div></div></div><p> -<a class="indexterm" name="id371344"></a> - Shares and files can be migrated in the same manner as user, machine, and group accounts. - It is possible to preserve access control settings (ACLs) as well as security settings - throughout the migration process. The <code class="literal">net rpc vampire</code> facility is used - to migrate accounts from a Windows NT4 (or later) domain to a Samba server. This process - preserves passwords and account security settings and is a precursor to the migration - of shares and files. - </p><p> - The <code class="literal">net rpc share</code> command may be used to migrate shares, directories, - files, and all relevant data from a Windows server to a Samba server. - </p><p> - A set of command-line switches permit the creation of almost direct clones of Windows file - servers. For example, when migrating a fileserver, file ACLs and DOS file attributes from - the Windows server can be included in the migration process and will reappear, almost identically, - on the Samba server when the migration has been completed. - </p><p> - The migration process can be completed only with the Samba server already being fully operational. - The user and group accounts must be migrated before attempting to migrate data - share, files, and printers. The migration of files and printer configurations involves the use - of both SMB and MS DCE RPC services. The benefit of the manner in which the migration process has - been implemented is that the possibility now exists to use a Samba server as a man-in-middle migration - service that affects a transfer of data from one server to another. For example, if the Samba - server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba - server is called GONZALES, the machine MESSER can be used to effect the migration of all data - (files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local - server is assumed by default - as net's general rule of thumb . - </p><p> - The success of server migration requires a firm understanding of the structure of the source - server (or domain) as well as the processes on which the migration is critically dependant. - </p><p> - There are two known limitations to the migration process: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - The <code class="literal">net</code> command requires that the user credentials provided exist on both - the migration source and the migration target. - </p></li><li class="listitem"><p> - Printer settings may not be fully or may be incorrectly migrated. This might in particular happen - when migrating a Windows 2003 print server to Samba. - </p></li></ol></div><div class="sect3" title="Share Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id371426"></a>Share Migration</h4></div></div></div><p> - The <code class="literal">net rpc share migrate</code> command operation permits the migration of plain - share stanzas. A stanza contains the parameters within which a file or print share are defined. - The use of this migration method will create share stanzas that have as parameters the file - system directory path, an optional description, and simple security settings that permit write - access to files. One of the first steps necessary following migration is to review the share - stanzas to ensure that the settings are suitable for use. - </p><p> - The shares are created on the fly as part of the migration process. The <code class="literal">smbd</code> - application does this by calling on the operating system to execute the script specified by the - <code class="filename">smb.conf</code> parameter <em class="parameter"><code>add share command</code></em>. - </p><p> - There is a suitable example script for the <em class="parameter"><code>add share command</code></em> in the - <code class="filename">$SAMBA_SOURCES/examples/scripts</code> directory. It should be noted that - the account that is used to drive the migration must, of necessity, have appropriate file system - access privileges and have the right to create shares and to set ACLs on them. Such rights are - conferred by these rights: <em class="parameter"><code>SeAddUsersPrivilege</code></em> and <em class="parameter"><code>SeDiskOperatorPrivilege</code></em>. - For more information regarding rights and privileges please refer to <a class="link" href="rights.html" title="Chapter 15. User Rights and Privileges">“User Rights and Privileges”</a>. - </p><p> - The syntax of the share migration command is shown here: -</p><pre class="screen"> -net rpc share MIGRATE SHARES <share-name> -S <source> - [--destination=localhost] [--exclude=share1,share2] [-v] -</pre><p> - When the parameter <share-name> is omitted, all shares will be migrated. The potentially - large list of available shares on the system that is being migrated can be limited using the - <em class="parameter"><code>--exclude</code></em> switch. For example: -<a class="indexterm" name="id371524"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share migrate shares myshare\ - -S win2k -U administrator%secret" -</pre><p> - This will migrate the share <code class="constant">myshare</code> from the server <code class="constant">win2k</code> - to the Samba Server using the permissions that are tied to the account <code class="constant">administrator</code> - with the password <code class="constant">secret</code>. The account that is used must be the same on both the - migration source server and the target Samba server. The use of the <code class="literal">net rpc - vampire</code>, prior to attempting the migration of shares, will ensure that accounts will be - identical on both systems. One precaution worth taking before commencement of migration of shares is - to validate that the migrated accounts (on the Samba server) have the needed rights and privileges. - This can be done as shown here: -<a class="indexterm" name="id371572"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc right list accounts -Uroot%not24get -</pre><p> - The steps taken so far perform only the migration of shares. Directories and directory contents - are not migrated by the steps covered up to this point. - </p></div><div class="sect3" title="File and Directory Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id371598"></a>File and Directory Migration</h4></div></div></div><p> - Everything covered to this point has been done in preparation for the migration of file and directory - data. For many people preparation is potentially boring and the real excitement only begins when file - data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate) - data files using the <code class="literal">net</code> command. - </p><p> - Transfer of files from one server to another has always been a challenge for MS Windows - administrators because Windows NT and 200X servers do not always include the tools needed. The - <code class="literal">xcopy</code> from Windows NT is not capable of preserving file and directory ACLs, - it does so only with Windows 200x. Microsoft does provide a - utility that can copy ACLs (security settings) called <code class="literal">scopy</code>, but it is provided only - as part of the Windows NT or 200X Server Resource Kit. - </p><p> - There are several tools, both commercial and freeware, that can be used from a Windows server to copy files - and directories with full preservation of security settings. One of the best known of the free tools is - called <code class="literal">robocopy</code>. - </p><p> - The <code class="literal">net</code> utility can be used to copy files and directories with full preservation of - ACLs as well as DOS file attributes. Note that including ACLs makes sense only where the destination - system will operate within the same security context as the source system. This applies both to a - DMS and to domain controllers that result from a vampired domain. - Before file and directory migration, all shares must already exist. - </p><p> - The syntax for the migration commands is shown here: -</p><pre class="screen"> -net rpc share MIGRATE FILES <share-name> -S <source> - [--destination=localhost] [--exclude=share1,share2] - [--acls] [--attrs] [--timestamps] [-v] -</pre><p> - If the <share-name> parameter is omitted, all shares will be migrated. The potentially large - list of shares on the source system can be restricted using the <em class="parameter"><code>--exclude</code></em> command - switch. - </p><p> - Where it is necessary to preserve all file ACLs, the <em class="parameter"><code>--acls</code></em> switch should be added - to the above command line. Original file timestamps can be preserved by specifying the - <em class="parameter"><code>--timestamps</code></em> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can - be preserved by specifying the <em class="parameter"><code>--attrs</code></em> switch. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system - semantics of the host operating system on the target server. A migration from one Windows file server to - another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs - onto a POSIX ACLs-supporting system, there can be no perfect migration of Windows ACLs to a Samba server. - </p></div><p> - The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows supports - the possibility of files that are owned only by a group. Group-alone file ownership is not possible under - UNIX/Linux. Errors in migrating group-owned files can be avoided by using the <code class="filename">smb.conf</code> file - <a class="link" href="smb.conf.5.html#FORCEUNKNOWNACLUSER" target="_top">force unknown acl user = yes</a> parameter. This facility will - automatically convert group-owned files into correctly user-owned files on the Samba server. - </p><p> - An example for migration of files from a machine called <code class="constant">nt4box</code> to the Samba server - from which the process will be handled is shown here: -<a class="indexterm" name="id371742"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share migrate files -S nt4box --acls \ - --attrs -U administrator%secret -</pre><p> - </p><p> - This command will migrate all files and directories from all file shares on the Windows server called - <code class="constant">nt4box</code> to the Samba server from which migration is initiated. Files that are group-owned - will be owned by the user account <code class="constant">administrator</code>. - </p></div><div class="sect3" title="Share-ACL Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id371779"></a>Share-ACL Migration</h4></div></div></div><p> - It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to - copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate - function: -<a class="indexterm" name="id371789"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share migrate security -S nt4box -U administrator%secret -</pre><p> - </p><p> - This command will only copy the share-ACL of each share on nt4box to your local samba-system. - </p></div><div class="sect3" title="Simultaneous Share and File Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id371818"></a>Simultaneous Share and File Migration</h4></div></div></div><p> - The operating mode shown here is just a combination of the previous three. It first migrates - share definitions and then all shared files and directories and finally migrates the share-ACLs: -</p><pre class="screen"> -net rpc share MIGRATE ALL <share-name> -S <source> - [--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v] -</pre><p> - </p><p> - An example of simultaneous migration is shown here: -<a class="indexterm" name="id371839"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc share migrate all -S w2k3server -U administrator%secret -</pre><p> - This will generate a complete server clone of the <em class="parameter"><code>w2k3server</code></em> server. - </p></div></div><div class="sect2" title="Printer Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id371872"></a>Printer Migration</h3></div></div></div><p> - The installation of a new server, as with the migration to a new network environment, often is similar to - building a house; progress is very rapid from the laying of foundations up to the stage at which - the house can be locked up, but the finishing off appears to take longer and longer as building - approaches completion. - </p><p> - Printing needs vary greatly depending on the network environment and may be very simple or complex. If - the need is very simple, the best solution to the implementation of printing support may well be to - re-install everything from a clean slate instead of migrating older configurations. On the other hand, - a complex network that is integrated with many international offices and a complex arrangement of local branch - offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all - printer configurations is decidedly beneficial. To manually re-establish a complex printing network - will take much time and frustration. Often it will not be possible to find driver files that are - currently in use, necessitating the installation of newer drivers. Newer drivers often implement - printing features that will necessitate a change in the printer usage. Additionally, with very complex - printer configurations it becomes almost impossible to re-create the same environment no matter - how extensively it has been documented. - </p><p> - The migration of an existing printing architecture involves the following: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Establishment of print queues.</p></li><li class="listitem"><p>Installation of printer drivers (both for the print server and for Windows clients.</p></li><li class="listitem"><p>Configuration of printing forms.</p></li><li class="listitem"><p>Implementation of security settings.</p></li><li class="listitem"><p>Configuration of printer settings.</p></li></ul></div><p> - The Samba <code class="literal">net</code> utility permits printer migration from one Windows print server - to another. When this tool is used to migrate printers to a Samba server <code class="literal">smbd</code>, - the application that receives the network requests to create the necessary services must call out - to the operating system in order to create the underlying printers. The call-out is implemented - by way of an interface script that can be specified by the <code class="filename">smb.conf</code> file parameter - <a class="link" href="smb.conf.5.html#ADDPRINTERSCRIPT" target="_top">add printer script</a>. This script is essential to the migration process. - A suitable example script may be obtained from the <code class="filename">$SAMBA_SOURCES/examples/scripts</code> - directory. Take note that this script must be customized to suit the operating system environment - and may use its tools to create a print queue. - </p><p> - Each of the components listed above can be completed separately, or they can be completed as part of an - automated operation. Many network administrators prefer to deal with migration issues in a manner that - gives them the most control, particularly when things go wrong. The syntax for each operation is now - briefly described. - </p><p> - Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the - printer share to be created together with the underlying print queue: -<a class="indexterm" name="id371984"></a> -</p><pre class="screen"> -net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets] -</pre><p> - Printer drivers can be migrated from the Windows print server to the Samba server using this - command-line instruction: -<a class="indexterm" name="id372002"></a> -</p><pre class="screen"> -net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets] -</pre><p> - Printer forms can be migrated with the following operation: -<a class="indexterm" name="id372019"></a> -</p><pre class="screen"> -net rpc printer MIGRATE FORMS [printer] [misc. options] [targets] -</pre><p> - Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command: -<a class="indexterm" name="id372038"></a> -</p><pre class="screen"> -net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets] -</pre><p> - Printer configuration settings include factors such as paper size and default paper orientation. - These can be migrated from the Windows print server to the Samba server with this command: -<a class="indexterm" name="id372057"></a> -</p><pre class="screen"> -net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets] -</pre><p> - </p><p> - Migration of printers including the above-mentioned sets of information may be completed - with a single command using this syntax: -</p><pre class="screen"> -net rpc printer MIGRATE ALL [printer] [misc. options] [targets] -</pre><p> - </p></div></div><div class="sect1" title="Controlling Open Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372088"></a>Controlling Open Files</h2></div></div></div><p> - The man page documents the <code class="literal">net file</code> function suite, which provides the tools to - close open files using either RAP or RPC function calls. Please refer to the man page for specific - usage information. - </p></div><div class="sect1" title="Session and Connection Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372105"></a>Session and Connection Management</h2></div></div></div><p> - The session management interface of the <code class="literal">net session</code> command uses the old RAP - method to obtain the list of connections to the Samba server, as shown here: -<a class="indexterm" name="id372120"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rap session -S MERLIN -Uroot%not24get -Computer User name Client Type Opens Idle time ------------------------------------------------------------------------------- -\\merlin root Unknown Client 0 00:00:00 -\\marvel jht Unknown Client 0 00:00:00 -\\maggot jht Unknown Client 0 00:00:00 -\\marvel jht Unknown Client 0 00:00:00 -</pre><p> - </p><p> - A session can be closed by executing a command as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net rap session close marvel -Uroot%not24get -</pre><p> - </p></div><div class="sect1" title="Printers and ADS"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372165"></a>Printers and ADS</h2></div></div></div><p> - When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable - until they have been published to the ADS domain. Information regarding published printers may be obtained - from the ADS server by executing the <code class="literal">net ads print info</code> command following this syntax: -<a class="indexterm" name="id372181"></a> -</p><pre class="screen"> -net ads printer info <printer_name> <server_name> -Uadministrator%secret -</pre><p> - If the asterisk (*) is used in place of the printer_name argument, a list of all printers will be - returned. - </p><p> - To publish (make available) a printer to ADS, execute the following command: -<a class="indexterm" name="id372204"></a> -</p><pre class="screen"> -net ads printer publish <printer_name> -Uadministrator%secret -</pre><p> - This publishes a printer from the local Samba server to ADS. - </p><p> - Removal of a Samba printer from ADS is achieved by executing this command: -<a class="indexterm" name="id372226"></a> -</p><pre class="screen"> -net ads printer remove <printer_name> -Uadministrator%secret -</pre><p> - </p><p> - A generic search (query) can also be made to locate a printer across the entire ADS domain by executing: -<a class="indexterm" name="id372248"></a> -</p><pre class="screen"> -net ads printer search <printer_name> -Uadministrator%secret -</pre><p> - </p></div><div class="sect1" title="Manipulating the Samba Cache"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372268"></a>Manipulating the Samba Cache</h2></div></div></div><p> - Please refer to the <code class="literal">net</code> command man page for information regarding cache management. - </p></div><div class="sect1" title="Managing IDMAP UID/SID Mappings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372285"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p> - The IDMAP UID to SID, and SID to UID, mappings that are created by <code class="literal">winbindd</code> can be - backed up to a text file. The text file can be manually edited, although it is highly recommended that - you attempt this only if you know precisely what you are doing. - </p><p> - An IDMAP text dump file can be restored (or reloaded). There are two situations that may necessitate - this action: a) The existing IDMAP file is corrupt, b) It is necessary to install an editted version - of the mapping information. - </p><p> - Winbind must be shut down to dump the IDMAP file. Before restoring a dump file, shut down - <code class="literal">winbindd</code> and delete the old <code class="filename">winbindd_idmap.tdb</code> file. - </p><div class="sect2" title="Creating an IDMAP Database Dump File"><div class="titlepage"><div><div><h3 class="title"><a name="id372323"></a>Creating an IDMAP Database Dump File</h3></div></div></div><p> - The IDMAP database can be dumped to a text file as shown here: -</p><pre class="screen"> -net idmap dump <full_path_and_tdb_filename> > dumpfile.txt -</pre><p> - Where a particular build of Samba the run-time tdb files are stored in the - <code class="filename">/var/lib/samba</code> directory the following commands to create the dump file will suffice: -</p><pre class="screen"> -net idmap dump /var/lib/samba/winbindd_idmap.tdb > idmap_dump.txt -</pre><p> - </p></div><div class="sect2" title="Restoring the IDMAP Database Dump File"><div class="titlepage"><div><div><h3 class="title"><a name="id372354"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p> - The IDMAP dump file can be restored using the following command: -</p><pre class="screen"> -net idmap restore idmap_dump.txt -</pre><p> - Where the Samba run-time tdb files are stored in the <code class="filename">/var/lib/samba</code> directory - the following command can be used to restore the data to the tdb file: -</p><pre class="screen"> -net idmap restore /var/lib/samba/winbindd_idmap.tdb < idmap_dump.txt -</pre><p> - </p></div></div><div class="sect1" title="Other Miscellaneous Operations"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netmisc1"></a>Other Miscellaneous Operations</h2></div></div></div><p> - The following command is useful for obtaining basic statistics regarding a Samba domain. This command does - not work with current Windows XP Professional clients. -<a class="indexterm" name="id372399"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc info -Domain Name: RAPIDFLY -Domain SID: S-1-5-21-399034208-633907489-3292421255 -Sequence number: 1116312355 -Num users: 720 -Num domain groups: 27 -Num local groups: 6 -</pre><p> - </p><p> - Another useful tool is the <code class="literal">net time</code> tool set. This tool may be used to query the - current time on the target server as shown here: -<a class="indexterm" name="id372432"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net time -S SAURON -Tue May 17 00:50:43 2005 -</pre><p> - In the event that it is the intent to pass the time information obtained to the UNIX - <code class="literal">/bin/time</code>, it is a good idea to obtain the time from the target server in a format - that is ready to be passed through. This may be done by executing: -<a class="indexterm" name="id372461"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net time system -S FRODO -051700532005.16 -</pre><p> - The time can be set on a target server by executing: -<a class="indexterm" name="id372485"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net time set -S MAGGOT -U Administrator%not24get -Tue May 17 00:55:30 MDT 2005 -</pre><p> - It is possible to obtain the time zone of a server by executing the following command against it: -<a class="indexterm" name="id372509"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net time zone -S SAURON --0600 -</pre><p> - </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Group Mapping: MS Windows and UNIX </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. Identity Mapping (IDMAP)</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html b/docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html deleted file mode 100644 index 219513af01..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html +++ /dev/null @@ -1,1346 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Network Browsing</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="ChangeNotes.html" title="Chapter 9. Important and Critical Change Notes for the Samba 3.x Series"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Network Browsing</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ChangeNotes.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 10. Network Browsing"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Network Browsing</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jonathan</span> <span class="surname">Johnson</span></h3><div class="affiliation"><span class="orgname">Sutinen Consulting, Inc.<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jon@sutinen.com">jon@sutinen.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: September 20, 2006</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetworkBrowsing.html#id349822">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#id349988">What Is Browsing?</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id351491">How Browsing Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353161">Note about Broadcast Addresses</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353357">Use of the Remote Announce Parameter</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353486">Use of the Remote Browse Sync Parameter</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354117">WINS Replication</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354166">Static WINS Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id354384">Helpful Hints</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354520">Name Resolution Order</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354972">Problem Resolution</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356151">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356175">Flushing the Samba NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356240">Server Resources Cannot Be Listed</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356285">I Get an "<span class="errorname">Unable to browse the network</span>" Error</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356510">Invalid Cached Share References Affects Network Browsing</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id349741"></a> -<a class="indexterm" name="id349748"></a> -<a class="indexterm" name="id349755"></a> -<a class="indexterm" name="id349762"></a> -This chapter contains detailed information as well as a fast-track guide to -implementing browsing across subnets and/or across workgroups (or domains). -WINS is the best tool for resolution of NetBIOS names to IP addresses; however, WINS is -not involved in browse list handling except by way of name-to-address resolution. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id349776"></a> -What is WINS? -</p><p> -WINS is a facility that provides resolution of a NetBIOS name to its IP address. WINS is like a -Dynamic-DNS service for NetBIOS networking names. -</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id349791"></a> -<a class="indexterm" name="id349798"></a> -<a class="indexterm" name="id349805"></a> -<a class="indexterm" name="id349812"></a> -MS Windows 2000 and later versions can be configured to operate with no NetBIOS -over TCP/IP. Samba-3 and later versions also support this mode of operation. -When the use of NetBIOS over TCP/IP has been disabled, the primary -means for resolution of MS Windows machine names is via DNS and Active Directory. -The following information assumes that your site is running NetBIOS over TCP/IP. -</p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id349822"></a>Features and Benefits</h2></div></div></div><p> -Charles Dickens once referred to the past in these words: <span class="quote">“<span class="quote"><span class="emphasis"><em>It was the best of times, -it was the worst of times.</em></span></span>”</span> The more we look back, the more we long for what was and -hope it never returns. -</p><p> -<a class="indexterm" name="id349840"></a> -<a class="indexterm" name="id349846"></a> -<a class="indexterm" name="id349853"></a> -For many MS Windows network administrators, that statement sums up their feelings about -NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle -nature was just par for the course. For those who never quite managed to tame its -lusty features, NetBIOS is like Paterson's Curse. -</p><p> -For those not familiar with botanical problems in Australia, Paterson's Curse, -<span class="emphasis"><em>Echium plantagineum</em></span>, was introduced to Australia from Europe during the mid-19th -century. Since then it has spread rapidly. The high seed production, with densities of -thousands of seeds per square meter, a seed longevity of more than 7 years, and an -ability to germinate at any time of year, given the right conditions, are some of the -features that make it such a persistent weed. -</p><p> -<a class="indexterm" name="id349877"></a> -<a class="indexterm" name="id349886"></a> -<a class="indexterm" name="id349892"></a> -<a class="indexterm" name="id349899"></a> -<a class="indexterm" name="id349906"></a> -In this chapter we explore vital aspects of Server Message Block (SMB) networking with -a particular focus on SMB as implemented through running NetBIOS (Network Basic -Input/Output System) over TCP/IP. Since Samba does not implement SMB or NetBIOS over -any other protocols, we need to know how to configure our network environment and simply -remember to use nothing but TCP/IP on all our MS Windows network clients. -</p><p> -<a class="indexterm" name="id349920"></a> -<a class="indexterm" name="id349926"></a> -Samba provides the ability to implement a WINS (Windows Internetworking Name Server) -and implements extensions to Microsoft's implementation of WINS. These extensions -help Samba to effect stable WINS operations beyond the normal scope of MS WINS. -</p><p> -<a class="indexterm" name="id349939"></a> -<a class="indexterm" name="id349946"></a> -<a class="indexterm" name="id349952"></a> -WINS is exclusively a service that applies only to those systems -that run NetBIOS over TCP/IP. MS Windows 200x/XP have the capacity to operate with -support for NetBIOS disabled, in which case WINS is of no relevance. Samba supports this also. -</p><p> -<a class="indexterm" name="id349964"></a> -<a class="indexterm" name="id349971"></a> -<a class="indexterm" name="id349978"></a> -For those networks on which NetBIOS has been disabled (i.e., WINS is not required), -the use of DNS is necessary for hostname resolution. -</p></div><div class="sect1" title="What Is Browsing?"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id349988"></a>What Is Browsing?</h2></div></div></div><p> -<a class="indexterm" name="id349996"></a> -<a class="indexterm" name="id350003"></a> -<a class="indexterm" name="id350009"></a> -<a class="indexterm" name="id350016"></a> -To most people, browsing means they can see the MS Windows and Samba servers -in the Network Neighborhood, and when the computer icon for a particular server is -clicked, it opens up and shows the shares and printers available on the target server. -</p><p> -What seems so simple is in fact a complex interaction of different technologies. -The technologies (or methods) employed in making all of this work include: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>MS Windows machines register their presence to the network.</p></li><li class="listitem"><p>Machines announce themselves to other machines on the network.</p></li><li class="listitem"><p>One or more machines on the network collate the local announcements.</p></li><li class="listitem"><p>The client machine finds the machine that has the collated list of machines.</p></li><li class="listitem"><p>The client machine is able to resolve the machine names to IP addresses.</p></li><li class="listitem"><p>The client machine is able to connect to a target machine.</p></li></ul></div><p> -<a class="indexterm" name="id350066"></a> -<a class="indexterm" name="id350073"></a> -<a class="indexterm" name="id350080"></a> -The Samba application that controls browse list management and name resolution is -called <code class="filename">nmbd</code>. The configuration parameters involved in nmbd's operation are: -</p><p> -Browsing options: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><a class="link" href="smb.conf.5.html#OSLEVEL" target="_top">os level</a></li><li class="listitem"><a class="link" href="smb.conf.5.html#LMANNOUNCE" target="_top">lm announce</a></li><li class="listitem"><a class="link" href="smb.conf.5.html#LMINTERVAL" target="_top">lm interval</a></li><li class="listitem"><a class="link" href="smb.conf.5.html#PREFERREDMASTER" target="_top">preferred master</a>(*)</li><li class="listitem"><a class="link" href="smb.conf.5.html#LOCALMASTER" target="_top">local master</a>(*)</li><li class="listitem"><a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master</a>(*)</li><li class="listitem"><a class="link" href="smb.conf.5.html#BROWSELIST" target="_top">browse list</a></li><li class="listitem"><a class="link" href="smb.conf.5.html#ENHANCEDBROWSING" target="_top">enhanced browsing</a></li></ul></div><p> -Name Resolution Method: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><a class="link" href="smb.conf.5.html#NAMERESOLVEORDER" target="_top">name resolve order</a>(*)</li></ul></div><p> -WINS options: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><a class="link" href="smb.conf.5.html#DNSPROXY" target="_top">dns proxy</a></li><li class="listitem"><a class="link" href="smb.conf.5.html#WINSPROXY" target="_top">wins proxy</a></li><li class="listitem"><a class="link" href="smb.conf.5.html#WINSSERVER" target="_top">wins server</a>(*)</li><li class="listitem"><a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support</a>(*)</li><li class="listitem"><a class="link" href="smb.conf.5.html#WINSHOOK" target="_top">wins hook</a></li></ul></div><p> -Those marked with an (*) are the only options that commonly may need to be modified. Even if none of these -parameters is set, <code class="filename">nmbd</code> will still do its job. -</p><p> -<a class="indexterm" name="id350308"></a> -<a class="indexterm" name="id350315"></a> -<a class="indexterm" name="id350322"></a> -<a class="indexterm" name="id350328"></a> -<a class="indexterm" name="id350335"></a> -For Samba, the WINS Server and WINS Support are mutually exclusive options. When <code class="literal">nmbd</code> is -started it will fail to execute if both options are set in the <code class="filename">smb.conf</code> file. The <code class="literal">nmbd</code> -understands that when it spawns an instance of itself to run as a WINS server that it has to use its own WINS -server also. -</p></div><div class="sect1" title="Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netdiscuss"></a>Discussion</h2></div></div></div><p> -<a class="indexterm" name="id350374"></a> -<a class="indexterm" name="id350381"></a> -<a class="indexterm" name="id350388"></a> -<a class="indexterm" name="id350395"></a> -All MS Windows networking uses SMB-based messaging. SMB messaging may be implemented with or without NetBIOS. -MS Windows 200x supports NetBIOS over TCP/IP for backwards compatibility. Microsoft appears intent on phasing -out NetBIOS support. -</p><div class="sect2" title="NetBIOS over TCP/IP"><div class="titlepage"><div><div><h3 class="title"><a name="id350405"></a>NetBIOS over TCP/IP</h3></div></div></div><p> -<a class="indexterm" name="id350413"></a> -<a class="indexterm" name="id350419"></a> -<a class="indexterm" name="id350426"></a> -<a class="indexterm" name="id350433"></a> -Samba implements NetBIOS, as does MS Windows NT/200x/XP, by encapsulating it over TCP/IP. -NetBIOS-based networking uses broadcast messaging to effect browse list management. When running NetBIOS over -TCP/IP, this uses UDP-based messaging. UDP messages can be broadcast or unicast. -</p><p> -<a class="indexterm" name="id350445"></a> -Normally, only unicast UDP messaging can be forwarded by routers. The <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> -parameter to smb.conf helps to project browse announcements to remote network segments via unicast UDP. -Similarly, the <a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> parameter of <code class="filename">smb.conf</code> implements browse list -collation using unicast UDP. -</p><p> -The methods used by MS Windows to perform name lookup requests (name resolution) is determined by a -configuration parameter called the NetBIOS node-type. There are four basic NetBIOS node types: -</p><a class="indexterm" name="id350489"></a><a class="indexterm" name="id350496"></a><a class="indexterm" name="id350503"></a><a class="indexterm" name="id350509"></a><a class="indexterm" name="id350516"></a><a class="indexterm" name="id350523"></a><a class="indexterm" name="id350530"></a><a class="indexterm" name="id350537"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>b-node (type 0x01):</em></span> The Windows client will use only - NetBIOS broadcast requests using UDP broadcast.</p></li><li class="listitem"><p><span class="emphasis"><em>p-node (type 0x02):</em></span> The Windows client will use point-to-point - (NetBIOS unicast) requests using UDP unicast directed to a WINS server.</p></li><li class="listitem"><p><span class="emphasis"><em>m-node (type 0x04):</em></span> The Windows client will first use - NetBIOS broadcast requests using UDP broadcast, then it will use (NetBIOS unicast) - requests using UDP unicast directed to a WINS server.</p></li><li class="listitem"><p><span class="emphasis"><em>h-node (type 0x08):</em></span> The Windows client will use - (NetBIOS unicast) requests using UDP unicast directed to a WINS server, then it will use - NetBIOS broadcast requests using UDP broadcast.</p></li></ul></div><p> -<a class="indexterm" name="id350580"></a> -<a class="indexterm" name="id350586"></a> -<a class="indexterm" name="id350593"></a> -<a class="indexterm" name="id350600"></a> -<a class="indexterm" name="id350607"></a> -<a class="indexterm" name="id350614"></a> -The default Windows network client (or server) network configuration enables NetBIOS over TCP/IP -and b-node configuration. The use of WINS makes most sense with h-node (hybrid mode) operation so that -in the event of a WINS breakdown or non-availability, the client can use broadcast-based name resolution. -</p><p> -<a class="indexterm" name="id350626"></a> -<a class="indexterm" name="id350635"></a> -<a class="indexterm" name="id350642"></a> -<a class="indexterm" name="id350649"></a> -<a class="indexterm" name="id350655"></a> -<a class="indexterm" name="id350662"></a> -<a class="indexterm" name="id350669"></a> -In those networks where Samba is the only SMB server technology, wherever possible <code class="filename">nmbd</code> -should be configured on one machine as the WINS server. This makes it easy to manage the browsing environment. -If each network segment is configured with its own Samba WINS server, then the only way to get cross-segment -browsing to work is by using the <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> and the <a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> parameters to your <code class="filename">smb.conf</code> file. -</p><p> -<a class="indexterm" name="id350716"></a> -If only one WINS server is used for an entire multisegment network, then -the use of the <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> and the -<a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> parameters should not be necessary. -</p><p> -<a class="indexterm" name="id350748"></a> -As of Samba-3, WINS replication is being worked on. The bulk of the code has been committed, but it still -needs maturation. This is not a supported feature of the Samba-3.0.20 release. Hopefully, this will become a -supported feature of one of the Samba-3 release series. The delay is caused by the fact that this feature has -not been of sufficient significance to inspire someone to pay a developer to complete it. -</p><p> -<a class="indexterm" name="id350764"></a> -<a class="indexterm" name="id350771"></a> -<a class="indexterm" name="id350777"></a> -<a class="indexterm" name="id350784"></a> -<a class="indexterm" name="id350791"></a> -<a class="indexterm" name="id350798"></a> -<a class="indexterm" name="id350804"></a> -<a class="indexterm" name="id350811"></a> -Right now Samba WINS does not support MS-WINS replication. This means that when setting up Samba as a WINS -server, there must only be one <code class="filename">nmbd</code> configured as a WINS server on the network. Some -sites have used multiple Samba WINS servers for redundancy (one server per subnet) and then used -<a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> and <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> to effect browse list -collation across all segments. Note that this means clients will only resolve local names and must be -configured to use DNS to resolve names on other subnets in order to resolve the IP addresses of the servers -they can see on other subnets. This setup is not recommended but is mentioned as a practical consideration -(i.e., an <span class="quote">“<span class="quote">if all else fails</span>”</span> scenario). NetBIOS over TCP/IP is an ugly and difficult to manage -protocol. Its replacement, NetBIOSless SMB over TCP/IP is not without its own manageability concerns. NetBIOS -based networking is a life of compromise and trade-offs. WINS stores information that cannot be stored in -DNS; consequently, DNS is a poor substitute for WINS given that when NetBIOS over TCP/IP is used, Windows -clients are designed to use WINS. -</p><p> -<a class="indexterm" name="id350861"></a> -<a class="indexterm" name="id350867"></a> -<a class="indexterm" name="id350874"></a> -Lastly, take note that browse lists are a collection of unreliable broadcast -messages that are repeated at intervals of not more than 15 minutes. This means -that it will take time to establish a browse list, and it can take up to 45 -minutes to stabilize, particularly across network segments. -</p><p> -<a class="indexterm" name="id350887"></a> -When an MS Windows 200x/XP system attempts to resolve a host name to an IP address, it follows a defined path: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - Checks the <code class="filename">hosts</code> file. It is located in <code class="filename">%SystemRoot%\System32\Drivers\etc</code>. - </p></li><li class="listitem"><p> - Does a DNS lookup. - </p></li><li class="listitem"><p> - Checks the NetBIOS name cache. - </p></li><li class="listitem"><p> - Queries the WINS server. - </p></li><li class="listitem"><p> - Does a broadcast name lookup over UDP. - </p></li><li class="listitem"><p> - Looks up entries in LMHOSTS, located in <code class="filename">%SystemRoot%\System32\Drivers\etc</code>. - </p></li></ol></div><p> -<a class="indexterm" name="id350951"></a> -<a class="indexterm" name="id350958"></a> -<a class="indexterm" name="id350965"></a> -<a class="indexterm" name="id350972"></a> -Given the nature of how the NetBIOS over TCP/IP protocol is implemented, only WINS is capable of resolving -with any reliability name lookups for service-oriented names such as TEMPTATION<1C> a NetBIOS -name query that seeks to find network logon servers. DNS has no concept of service-oriented names such as -this. In fact, the Microsoft ADS implementation specifically manages a whole range of extended -service-oriented DNS entries. This type of facility is not implemented and is not supported for the NetBIOS -over TCP/IP protocol namespace. -</p></div><div class="sect2" title="TCP/IP without NetBIOS"><div class="titlepage"><div><div><h3 class="title"><a name="id350990"></a>TCP/IP without NetBIOS</h3></div></div></div><p> -<a class="indexterm" name="id350998"></a> -<a class="indexterm" name="id351004"></a> -<a class="indexterm" name="id351011"></a> -All TCP/IP-enabled systems use various forms of hostname resolution. The primary -methods for TCP/IP hostname resolution involve either a static file (<code class="filename">/etc/hosts</code>) -or the Domain Name System (DNS). DNS is the technology that makes -the Internet usable. DNS-based hostname resolution is supported by nearly all -TCP/IP-enabled systems. Only a few embedded TCP/IP systems do not support DNS. -</p><p> -<a class="indexterm" name="id351029"></a> -<a class="indexterm" name="id351036"></a> -<a class="indexterm" name="id351043"></a> -<a class="indexterm" name="id351050"></a> -Windows 200x/XP can register its hostname with a Dynamic DNS server (DDNS). It is possible to force register with a -dynamic DNS server in Windows 200x/XP using <code class="literal">ipconfig /registerdns</code>. -</p><p> -<a class="indexterm" name="id351069"></a> -<a class="indexterm" name="id351076"></a> -<a class="indexterm" name="id351082"></a> -With Active Directory, a correctly functioning DNS server is absolutely essential. In the absence of a working -DNS server that has been correctly configured, MS Windows clients and servers will be unable to locate each -other, so network services consequently will be severely impaired. -</p><p> -<a class="indexterm" name="id351095"></a> -<a class="indexterm" name="id351102"></a> -<a class="indexterm" name="id351108"></a> -<a class="indexterm" name="id351115"></a> -<a class="indexterm" name="id351122"></a> -<a class="indexterm" name="id351128"></a> -Use of raw SMB over TCP/IP (No NetBIOS layer) can be done only with Active Directory domains. Samba is not an -Active Directory domain controller: ergo, it is not possible to run Samba as a domain controller and at the same -time <span class="emphasis"><em>not</em></span> use NetBIOS. Where Samba is used as an Active Directory domain member server -(DMS) it is possible to configure Samba to not use NetBIOS over TCP/IP. A Samba DMS can integrate fully into -an Active Directory domain, however, if NetBIOS over TCP/IP is disabled, it is necessary to manually create -appropriate DNS entries for the Samba DMS because they will not be automatically generated either by Samba, or -by the ADS environment. -</p></div><div class="sect2" title="DNS and Active Directory"><div class="titlepage"><div><div><h3 class="title"><a name="adsdnstech"></a>DNS and Active Directory</h3></div></div></div><p> -<a class="indexterm" name="id351158"></a> -<a class="indexterm" name="id351166"></a> -<a class="indexterm" name="id351173"></a> -<a class="indexterm" name="id351180"></a> -<a class="indexterm" name="id351187"></a> -Occasionally we hear from UNIX network administrators who want to use a UNIX-based DDNS server in place -of the Microsoft DNS server. While this might be desirable to some, the MS Windows 200x DNS server is -autoconfigured to work with Active Directory. It is possible to use BIND version 8 or 9, but it will almost -certainly be necessary to create service records (SRV records) so MS Active Directory clients can resolve -hostnames to locate essential network services. The following are some of the default service records that -Active Directory requires: -</p><p> -<a class="indexterm" name="id351204"></a> -<a class="indexterm" name="id351210"></a> -<a class="indexterm" name="id351217"></a> -The use of DDNS is highly recommended with Active Directory, in which case the use of BIND9 is preferred for -its ability to adequately support the SRV (service) records that are needed for Active Directory. Of course, -when running ADS, it makes sense to use Microsoft's own DDNS server because of the natural affinity between ADS -and MS DNS. -</p><div class="variablelist"><dl><dt><span class="term">_ldap._tcp.pdc._msdcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p> - This provides the address of the Windows NT PDC for the domain. - </p></dd><dt><span class="term">_ldap._tcp.pdc._msdcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p> - Resolves the addresses of global catalog servers in the domain. - </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable._msdcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p> - Provides list of domain controllers based on sites. - </p></dd><dt><span class="term">_ldap._tcp.writable._msdcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p> - Enumerates list of domain controllers that have the writable copies of the Active Directory data store. - </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains._msdcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p> - Entry used by MS Windows clients to locate machines using the global unique identifier. - </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc._msdcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p> - Used by Microsoft Windows clients to locate the site configuration-dependent global catalog server. - </p></dd></dl></div><p> - Specific entries used by Microsoft clients to locate essential services for an example domain - called <code class="constant">quenya.org</code> include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - _kerberos._udp.quenya.org Used to contact the KDC server via UDP. - This entry must list port 88 for each KDC. - </p></li><li class="listitem"><p> - _kpasswd._udp.quenya.org Used to locate the <code class="constant">kpasswd</code> server - when a user password change must be processed. This record must list port 464 on the - master KDC. - </p></li><li class="listitem"><p> - _kerberos._tcp.quenya.org Used to locate the KDC server via TCP. - This entry must list port 88 for each KDC. - </p></li><li class="listitem"><p> - _ldap._tcp.quenya.org Used to locate the LDAP service on the PDC. - This record must list port 389 for the PDC. - </p></li><li class="listitem"><p> - _kpasswd._tcp.quenya.org Used to locate the <code class="constant">kpasswd</code> server - to permit user password changes to be processed. This must list port 464. - </p></li><li class="listitem"><p> - _gc._tcp.quenya.org Used to locate the global catalog server for the - top of the domain. This must list port 3268. - </p></li></ul></div><p> - The following records are also used by the Windows domain member client to locate vital - services on the Windows ADS domain controllers. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - _ldap._tcp.pdc._msdcs.quenya.org - </p></li><li class="listitem"><p> - _ldap.gc._msdcs.quenya.org - </p></li><li class="listitem"><p> - _ldap.default-first-site-name._sites.gc._msdcs.quenya.org - </p></li><li class="listitem"><p> - _ldap.{SecID}.domains._msdcs.quenya.org - </p></li><li class="listitem"><p> - _ldap._tcp.dc._msdcs.quenya.org - </p></li><li class="listitem"><p> - _kerberos._tcp.dc._msdcs.quenya.org - </p></li><li class="listitem"><p> - _ldap.default-first-site-name._sites.dc._msdcs.quenya.org - </p></li><li class="listitem"><p> - _kerberos.default-first-site-name._sites.dc._msdcs.queyna.org - </p></li><li class="listitem"><p> - SecID._msdcs.quenya.org - </p></li></ul></div><p> - Presence of the correct DNS entries can be validated by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> dig @frodo -t any _ldap._tcp.dc._msdcs.quenya.org - -; <lt;>> DiG 9.2.2 <lt;>> @frodo -t any _ldap._tcp.dc._msdcs.quenya.org -;; global options: printcmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3072 -;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 - - -;; QUESTION SECTION: -;_ldap._tcp.dc._msdcs.quenya.org. IN ANY - - -;; ANSWER SECTION: -_ldap._tcp.dc._msdcs.quenya.org. 600 IN SRV 0 100 389 frodo.quenya.org. -_ldap._tcp.dc._msdcs.quenya.org. 600 IN SRV 0 100 389 noldor.quenya.org. - - -;; ADDITIONAL SECTION: -frodo.quenya.org. 3600 IN A 10.1.1.16 -noldor.quenya.org. 1200 IN A 10.1.1.17 - - -;; Query time: 0 msec -;; SERVER: frodo#53(10.1.1.16) -;; WHEN: Wed Oct 7 14:39:31 2004 -;; MSG SIZE rcvd: 171 -</pre><p> - </p></div></div><div class="sect1" title="How Browsing Functions"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id351491"></a>How Browsing Functions</h2></div></div></div><p> -<a class="indexterm" name="id351498"></a> -<a class="indexterm" name="id351505"></a> -<a class="indexterm" name="id351512"></a> -<a class="indexterm" name="id351518"></a> -<a class="indexterm" name="id351525"></a> -MS Windows machines register their NetBIOS names (i.e., the machine name for each service type in operation) -on startup. The exact method by which this name registration takes place is determined by whether or not the -MS Windows client/server has been given a WINS server address, whether or not LMHOSTS lookup is enabled, -whether or not DNS for NetBIOS name resolution is enabled, and so on. -</p><p> -<a class="indexterm" name="id351539"></a> -<a class="indexterm" name="id351546"></a> -<a class="indexterm" name="id351552"></a> -In the case where there is no WINS server, all name registrations as well as name lookups are done by UDP -broadcast. This isolates name resolution to the local subnet, unless LMHOSTS is used to list all names and IP -addresses. In such situations, Samba provides a means by which the Samba server name may be forcibly injected -into the browse list of a remote MS Windows network (using the <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> -parameter). -</p><p> -<a class="indexterm" name="id351577"></a> -<a class="indexterm" name="id351584"></a> -<a class="indexterm" name="id351590"></a> -Where a WINS server is used, the MS Windows client will use UDP unicast to register with the WINS server. Such -packets can be routed, and thus WINS allows name resolution to function across routed networks. -</p><p> -<a class="indexterm" name="id351602"></a> -<a class="indexterm" name="id351609"></a> -<a class="indexterm" name="id351618"></a> -<a class="indexterm" name="id351625"></a> -<a class="indexterm" name="id351631"></a> -<a class="indexterm" name="id351638"></a> -<a class="indexterm" name="id351645"></a> -<a class="indexterm" name="id351652"></a> -During the startup process, an election takes place to create a local master browser (LMB) if one does not -already exist. On each NetBIOS network one machine will be elected to function as the domain master browser -(DMB). This domain browsing has nothing to do with MS security Domain Control. Instead, the DMB serves the -role of contacting each LMB (found by asking WINS or from LMHOSTS) and exchanging browse list contents. This -way every master browser will eventually obtain a complete list of all machines that are on the network. Every -11 to 15 minutes an election is held to determine which machine will be the master browser. By the nature of -the election criteria used, the machine with the highest uptime, or the most senior protocol version or other -criteria, will win the election as DMB. -</p><p> -<a class="indexterm" name="id351675"></a> -<a class="indexterm" name="id351682"></a> -<a class="indexterm" name="id351688"></a> -<a class="indexterm" name="id351695"></a> -<a class="indexterm" name="id351702"></a> -<a class="indexterm" name="id351709"></a> -<a class="indexterm" name="id351715"></a> -<a class="indexterm" name="id351722"></a> -Where a WINS server is used, the DMB registers its IP address with the WINS server using the name of the -domain and the NetBIOS name type 1B (e.g., DOMAIN<1B>). All LMBs register their IP addresses with the WINS -server, also with the name of the domain and the NetBIOS name type of 1D. The 1B name is unique to one -server within the domain security context, and only one 1D name is registered for each network segment. -Machines that have registered the 1D name will be authoritive browse list maintainers for the network segment -they are on. The DMB is responsible for synchronizing the browse lists it obtains from the LMBs. -</p><p> -<a class="indexterm" name="id351744"></a> -Clients wishing to browse the network make use of this list but also depend on the availability of correct -name resolution to the respective IP address or addresses. -</p><p> -<a class="indexterm" name="id351756"></a> -Any configuration that breaks name resolution and/or browsing intrinsics will annoy users because they will -have to put up with protracted inability to use the network services. -</p><p> -<a class="indexterm" name="id351768"></a> -<a class="indexterm" name="id351774"></a> -<a class="indexterm" name="id351781"></a> -<a class="indexterm" name="id351788"></a> -<a class="indexterm" name="id351794"></a> -<a class="indexterm" name="id351801"></a> -Samba supports a feature that allows forced synchronization of browse lists across routed networks using the -<a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> parameter in the <code class="filename">smb.conf</code> file. This causes Samba to contact the -LMB on a remote network and to request browse list synchronization. This effectively bridges two networks that -are separated by routers. The two remote networks may use either broadcast-based name resolution or WINS-based -name resolution, but it should be noted that the <a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> parameter provides -browse list synchronization and that is distinct from name-to-address resolution. In other words, -for cross-subnet browsing to function correctly, it is essential that a name-to-address resolution mechanism -be provided. This mechanism could be via DNS, <code class="filename">/etc/hosts</code>, and so on. -</p><div class="sect2" title="Configuring Workgroup Browsing"><div class="titlepage"><div><div><h3 class="title"><a name="DMB"></a>Configuring Workgroup Browsing</h3></div></div></div><p> -<a class="indexterm" name="id351862"></a> -<a class="indexterm" name="id351868"></a> -<a class="indexterm" name="id351875"></a> -<a class="indexterm" name="id351881"></a> -<a class="indexterm" name="id351888"></a> -<a class="indexterm" name="id351895"></a> -To configure cross-subnet browsing on a network containing machines in a workgroup, not an NT domain, you need -to set up one Samba server to be the DMB (note that this is not the same as a Primary Domain Controller, -although in an NT domain the same machine plays both roles). The role of a DMB is to collate the browse lists -from LMB on all the subnets that have a machine participating in the workgroup. Without one machine configured -as a DMB, each subnet would be an isolated workgroup unable to see any machines on another subnet. It is the -presence of a DMB that makes cross-subnet browsing possible for a workgroup. -</p><p> -<a class="indexterm" name="id351910"></a> -In a workgroup environment the DMB must be a Samba server, and there must only be one DMB per workgroup name. -To set up a Samba server as a DMB, set the following option in the <em class="parameter"><code>[global]</code></em> section -of the <code class="filename">smb.conf</code> file: -</p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id351939"></a><em class="parameter"><code>domain master = yes</code></em></td></tr></table><p> -</p><p> -<a class="indexterm" name="id351954"></a> -<a class="indexterm" name="id351960"></a> -The DMB should preferably be the LMB for its own subnet. In order to achieve this, set the following options -in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown in <a class="link" href="NetworkBrowsing.html#dmbexample" title="Example 10.1. Domain Master Browser smb.conf">Domain Master Browser smb.conf</a> -</p><div class="example"><a name="dmbexample"></a><p class="title"><b>Example 10.1. Domain Master Browser smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id352013"></a><em class="parameter"><code>domain master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352024"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352036"></a><em class="parameter"><code>preferred master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352047"></a><em class="parameter"><code>os level = 65</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id352062"></a> -<a class="indexterm" name="id352068"></a> -The DMB may be the same machine as the WINS server, if necessary. -</p><p> -<a class="indexterm" name="id352079"></a> -<a class="indexterm" name="id352086"></a> -<a class="indexterm" name="id352092"></a> -Next, you should ensure that each of the subnets contains a machine that can act as an LMB for the workgroup. -Any MS Windows NT/200x/XP machine should be able to do this, as will Windows 9x/Me machines (although these -tend to get rebooted more often, so it is not such a good idea to use them). To make a Samba server an LMB, -set the following options in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown in -<a class="link" href="NetworkBrowsing.html#lmbexample" title="Example 10.2. Local master browser smb.conf">Local master browser smb.conf</a> -</p><div class="example"><a name="lmbexample"></a><p class="title"><b>Example 10.2. Local master browser smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id352147"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352159"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352170"></a><em class="parameter"><code>preferred master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352182"></a><em class="parameter"><code>os level = 65</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id352196"></a> -Do not do this for more than one Samba server on each subnet, or they will war with -each other over which is to be the LMB. -</p><p> -<a class="indexterm" name="id352207"></a> -<a class="indexterm" name="id352214"></a> -The <a class="link" href="smb.conf.5.html#LOCALMASTER" target="_top">local master</a> parameter allows Samba to act as a -LMB. The <a class="link" href="smb.conf.5.html#PREFERREDMASTER" target="_top">preferred master</a> causes <code class="literal">nmbd</code> -to force a browser election on startup and the <a class="link" href="smb.conf.5.html#OSLEVEL" target="_top">os level</a> -parameter sets Samba high enough so it should win any browser elections. -</p><p> -<a class="indexterm" name="id352262"></a> -If you have an NT machine on the subnet that you wish to be the LMB, you can disable Samba from -becoming an LMB by setting the following options in the <em class="parameter"><code>[global]</code></em> section of the -<code class="filename">smb.conf</code> file as shown in <a class="link" href="NetworkBrowsing.html#nombexample" title="Example 10.3. smb.conf for Not Being a Master Browser">smb.conf for Not Being a Master Browser</a>. -</p><p> -</p><div class="example"><a name="nombexample"></a><p class="title"><b>Example 10.3. smb.conf for Not Being a Master Browser</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id352316"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352328"></a><em class="parameter"><code>local master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352339"></a><em class="parameter"><code>preferred master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352351"></a><em class="parameter"><code>os level = 0</code></em></td></tr></table></div></div><p><br class="example-break"> -</p></div><div class="sect2" title="Domain Browsing Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id352366"></a>Domain Browsing Configuration</h3></div></div></div><p> -<a class="indexterm" name="id352373"></a> -<a class="indexterm" name="id352380"></a> -<a class="indexterm" name="id352386"></a> -<a class="indexterm" name="id352393"></a> -If you are adding Samba servers to a Windows NT domain, then you must not set up a Samba server as a DMB. By -default, a Windows NT PDC for a domain is also the DMB for that domain. Network browsing may break if a Samba -server other than the PDC registers the DMB NetBIOS name (<em class="replaceable"><code>DOMAIN</code></em><1B>) with -WINS. -</p><p> -<a class="indexterm" name="id352410"></a> -For subnets other than the one containing the Windows NT PDC, you may set up Samba servers as LMBs as -described. To make a Samba server a Local Master Browser, set the following options in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown in <a class="link" href="NetworkBrowsing.html#remsmb" title="Example 10.4. Local Master Browser smb.conf">Local Master Browser -smb.conf</a> -</p><div class="example"><a name="remsmb"></a><p class="title"><b>Example 10.4. Local Master Browser smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id352463"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352475"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352486"></a><em class="parameter"><code>preferred master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id352498"></a><em class="parameter"><code>os level = 65</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id352512"></a> -<a class="indexterm" name="id352519"></a> -If you wish to have a Samba server fight the election with machines on the same subnet, you may set the -<a class="link" href="smb.conf.5.html#OSLEVEL" target="_top">os level</a> parameter to lower levels. By doing this you can tune the order of machines -that will become LMBs if they are running. For more details on this, refer to <a class="link" href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to Be the Master">Forcing Samba to Be the Master</a>. -</p><p> -<a class="indexterm" name="id352550"></a> -<a class="indexterm" name="id352557"></a> -<a class="indexterm" name="id352564"></a> -If you have Windows NT machines that are members of the domain on all subnets and you are sure they will -always be running, you can disable Samba from taking part in browser elections and ever becoming an LMB by -setting the following options in the <em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> file as shown -in <a class="link" href="NetworkBrowsing.html#xremmb" title="Example 10.5. smb.conf for Not Being a master browser"><code class="filename">smb.conf</code> for Not Being a master browser</a> -</p><p> -</p><div class="example"><a name="xremmb"></a><p class="title"><b>Example 10.5. <code class="filename">smb.conf</code> for Not Being a master browser</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id352628"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352639"></a><em class="parameter"><code>local master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352651"></a><em class="parameter"><code>preferred master = no</code></em></td></tr><tr><td><a class="indexterm" name="id352662"></a><em class="parameter"><code>os level = 0</code></em></td></tr></table></div></div><p><br class="example-break"> -</p></div><div class="sect2" title="Forcing Samba to Be the Master"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to Be the Master</h3></div></div></div><p> -<a class="indexterm" name="id352688"></a> -<a class="indexterm" name="id352695"></a> -<a class="indexterm" name="id352702"></a> -<a class="indexterm" name="id352709"></a> -<a class="indexterm" name="id352715"></a> -<a class="indexterm" name="id352722"></a> -<a class="indexterm" name="id352729"></a> -Who becomes the master browser is determined by an election process using broadcasts. Each election packet -contains a number of parameters that determine what precedence (bias) a host should have in the election. By -default Samba uses a low precedence and thus loses elections to just about every Windows network server or -client. -</p><p> -If you want Samba to win elections, set the <a class="link" href="smb.conf.5.html#OSLEVEL" target="_top">os level</a> global option in <code class="filename">smb.conf</code> to a -higher number. It defaults to 20. Using 34 would make it win all elections over every other system (except -other Samba systems). -</p><p> -An <a class="link" href="smb.conf.5.html#OSLEVEL" target="_top">os level</a> of two would make it beat Windows for Workgroups and Windows 9x/Me, but -not MS Windows NT/200x Server. An MS Windows NT/200x Server domain controller uses level 32. The maximum os -level is 255. -</p><p> -<a class="indexterm" name="id352779"></a> -<a class="indexterm" name="id352785"></a> -<a class="indexterm" name="id352792"></a> -<a class="indexterm" name="id352799"></a> -If you want Samba to force an election on startup, set the <a class="link" href="smb.conf.5.html#PREFERREDMASTER" target="_top">preferred master</a> global -option in <code class="filename">smb.conf</code> to <code class="constant">yes</code>. Samba will then have a slight advantage over other -potential master browsers that are not preferred master browsers. Use this parameter with care, because if -you have two hosts (whether they are Windows 9x/Me or NT/200x/XP or Samba) on the same local subnet both set -with <a class="link" href="smb.conf.5.html#PREFERREDMASTER" target="_top">preferred master</a> to <code class="constant">yes</code>, then periodically and continually -they will force an election in order to become the LMB. -</p><p> -<a class="indexterm" name="id352846"></a> -<a class="indexterm" name="id352852"></a> -<a class="indexterm" name="id352859"></a> -<a class="indexterm" name="id352866"></a> -<a class="indexterm" name="id352872"></a> -If you want Samba to be a <span class="emphasis"><em>DMB</em></span>, then it is recommended that you also set <a class="link" href="smb.conf.5.html#PREFERREDMASTER" target="_top">preferred master</a> to <code class="constant">yes</code>, because Samba will not become a DMB for the whole of -your LAN or WAN if it is not also a LMB on its own broadcast isolated subnet. -</p><p> -<a class="indexterm" name="id352902"></a> -<a class="indexterm" name="id352909"></a> -<a class="indexterm" name="id352916"></a> -<a class="indexterm" name="id352922"></a> -<a class="indexterm" name="id352929"></a> -It is possible to configure two Samba servers to attempt to become the DMB for a domain. The first server that -comes up will be the DMB. All other Samba servers will attempt to become the DMB every 5 minutes. They will -find that another Samba server is already the DMB and will fail. This provides automatic redundancy should the -current DMB fail. The network bandwidth overhead of browser elections is relatively small, requiring -approximately four UDP packets per machine per election. The maximum size of a UDP packet is 576 bytes. -</p></div><div class="sect2" title="Making Samba the Domain Master"><div class="titlepage"><div><div><h3 class="title"><a name="id352942"></a>Making Samba the Domain Master</h3></div></div></div><p> -<a class="indexterm" name="id352950"></a> -<a class="indexterm" name="id352957"></a> -<a class="indexterm" name="id352964"></a> -<a class="indexterm" name="id352970"></a> -The domain master browser is responsible for collating the browse lists of multiple subnets so browsing can -occur between subnets. You can make Samba act as the domain master browser by setting <a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = yes</a> in <code class="filename">smb.conf</code>. By default it will not be a domain master browser. -</p><p> -<a class="indexterm" name="id352999"></a> -<a class="indexterm" name="id353006"></a> -Do not set Samba to be the domain master for a workgroup that has the same name as an NT/200x domain. If -Samba is configured to be the domain master for a workgroup that is present on the same network as a Windows -NT/200x domain that has the same name, network browsing problems will certainly be experienced. -</p><p> -When Samba is the domain master and the master browser, it will listen for master announcements (made roughly -every 12 minutes) from LMBs on other subnets and then contact them to synchronize browse lists. -</p><p> -<a class="indexterm" name="id353024"></a> -<a class="indexterm" name="id353031"></a> -If you want Samba to be the domain master, you should also set the <a class="link" href="smb.conf.5.html#OSLEVEL" target="_top">os level</a> high -enough to make sure it wins elections, and set <a class="link" href="smb.conf.5.html#PREFERREDMASTER" target="_top">preferred master</a> to -<code class="constant">yes</code>, to get Samba to force an election on startup. -</p><p> -<a class="indexterm" name="id353066"></a> -<a class="indexterm" name="id353073"></a> -All servers (including Samba) and clients should be using a WINS server to resolve NetBIOS names. If your -clients are only using broadcasting to resolve NetBIOS names, then two things will occur: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> -<a class="indexterm" name="id353094"></a> -<a class="indexterm" name="id353100"></a> - LMBs will be unable to find a DMB because they will be looking only on the local subnet. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id353114"></a> - If a client happens to get hold of a domain-wide browse list and a user attempts to access a - host in that list, it will be unable to resolve the NetBIOS name of that host. - </p></li></ol></div><p> -<a class="indexterm" name="id353128"></a> -If, however, both Samba and your clients are using a WINS server, then: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - LMBs will contact the WINS server and, as long as Samba has registered that it is a DMB with the WINS - server, the LMB will receive Samba's IP address as its DMB. - </p></li><li class="listitem"><p> - When a client receives a domain-wide browse list and a user attempts to access a host in that list, it will - contact the WINS server to resolve the NetBIOS name of that host. As long as that host has registered its - NetBIOS name with the same WINS server, the user will be able to see that host.. - </p></li></ol></div></div><div class="sect2" title="Note about Broadcast Addresses"><div class="titlepage"><div><div><h3 class="title"><a name="id353161"></a>Note about Broadcast Addresses</h3></div></div></div><p> -<a class="indexterm" name="id353169"></a> -If your network uses a zero-based broadcast address (for example, if it ends in a 0), then you will strike -problems. Windows for Workgroups does not seem to support a zeros broadcast, and you will probably find that -browsing and name lookups will not work. -</p></div><div class="sect2" title="Multiple Interfaces"><div class="titlepage"><div><div><h3 class="title"><a name="id353180"></a>Multiple Interfaces</h3></div></div></div><p> -<a class="indexterm" name="id353188"></a> -Samba supports machines with multiple network interfaces. If you have multiple interfaces, you will -need to use the <a class="link" href="smb.conf.5.html#INTERFACES" target="_top">interfaces</a> option in <code class="filename">smb.conf</code> to configure them. For example, the -machine you are working with has 4 network interfaces; <code class="literal">eth0</code>, <code class="literal">eth1</code>, -<code class="literal">eth2</code>, <code class="literal">eth3</code> and only interfaces <code class="literal">eth1</code> and -<code class="literal">eth4</code> should be used by Samba. In this case, the following <code class="filename">smb.conf</code> file entries would -permit that intent: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id353263"></a><em class="parameter"><code>interfaces = eth1, eth4</code></em></td></tr><tr><td><a class="indexterm" name="id353274"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr></table><p> -<a class="indexterm" name="id353286"></a> -<a class="indexterm" name="id353293"></a> -<a class="indexterm" name="id353299"></a> -<a class="indexterm" name="id353306"></a> -<a class="indexterm" name="id353313"></a> -<a class="indexterm" name="id353320"></a> -<a class="indexterm" name="id353326"></a> -The <a class="link" href="smb.conf.5.html#BINDINTERFACESONLY" target="_top">bind interfaces only = Yes</a> is necessary to exclude TCP/IP session -services (ports 135, 139, and 445) over the interfaces that are not specified. Please be aware that -<code class="literal">nmbd</code> will listen for incoming UDP port 137 packets on the unlisted interfaces, but it will -not answer them. It will, however, send its broadcast packets over the unlisted interfaces. Total isolation of -ethernet interface requires the use of a firewall to block ports 137 and 138 (UDP), and ports 135, 139, and -445 (TCP) on all network interfaces that must not be able to access the Samba server. -</p></div><div class="sect2" title="Use of the Remote Announce Parameter"><div class="titlepage"><div><div><h3 class="title"><a name="id353357"></a>Use of the Remote Announce Parameter</h3></div></div></div><p> -The <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> parameter of <code class="filename">smb.conf</code> can be used to forcibly ensure that all -the NetBIOS names on a network get announced to a remote network. The syntax of the <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> parameter is: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id353399"></a><em class="parameter"><code>remote announce = 192.168.12.23 [172.16.21.255] ...</code></em></td></tr></table><p> -<span class="emphasis"><em>or</em></span> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id353419"></a><em class="parameter"><code>remote announce = 192.168.12.23/MIDEARTH [172.16.21.255/ELVINDORF] ...</code></em></td></tr></table><p> - -where: -</p><div class="variablelist"><dl><dt><span class="term"><em class="replaceable"><code>192.168.12.23</code></em> and <em class="replaceable"><code>172.16.21.255</code></em></span></dt><dd><p> -<a class="indexterm" name="id353446"></a> -<a class="indexterm" name="id353455"></a> - is either the LMB IP address or the broadcast address of the remote network. - That is, the LMB is at 192.168.1.23, or the address could be given as 172.16.21.255 where the netmask - is assumed to be 24 bits (255.255.255.0). When the remote announcement is made to the broadcast - address of the remote network, every host will receive our announcements. This is noisy and therefore - undesirable but may be necessary if we do not know the IP address of the remote LMB. - </p></dd><dt><span class="term"><em class="replaceable"><code>WORKGROUP</code></em></span></dt><dd><p>is optional and can be either our own workgroup or that of the remote network. If you use the - workgroup name of the remote network, our NetBIOS machine names will end up looking like - they belong to that workgroup. This may cause name resolution problems and should be avoided. - </p></dd></dl></div><p> -</p></div><div class="sect2" title="Use of the Remote Browse Sync Parameter"><div class="titlepage"><div><div><h3 class="title"><a name="id353486"></a>Use of the Remote Browse Sync Parameter</h3></div></div></div><p> -<a class="indexterm" name="id353494"></a> -<a class="indexterm" name="id353500"></a> -The <a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> parameter of <code class="filename">smb.conf</code> is used to announce to another LMB that -it must synchronize its NetBIOS name list with our Samba LMB. This works only if the Samba server that has -this option is simultaneously the LMB on its network segment. -</p><p> -The syntax of the <a class="link" href="smb.conf.5.html#REMOTEBROWSESYNC" target="_top">remote browse sync</a> parameter is: - -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id353545"></a></td></tr></table><p> -<a class="indexterm" name="id353552"></a> -<a class="indexterm" name="id353558"></a> -where <em class="replaceable"><code>192.168.10.40</code></em> is either the IP address of the -remote LMB or the network broadcast address of the remote segment. -</p></div></div><div class="sect1" title="WINS: The Windows Internetworking Name Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id353573"></a>WINS: The Windows Internetworking Name Server</h2></div></div></div><p> -<a class="indexterm" name="id353581"></a> -<a class="indexterm" name="id353588"></a> -<a class="indexterm" name="id353594"></a> -Use of WINS (either Samba WINS or MS Windows NT Server WINS) is highly -recommended. Every NetBIOS machine registers its name together with a -name_type value for each of several types of service it has available. -It registers its name directly as a unique (the type 0x03) name. -It also registers its name if it is running the LanManager-compatible -server service (used to make shares and printers available to other users) -by registering the server (the type 0x20) name. -</p><p> -<a class="indexterm" name="id353608"></a> -<a class="indexterm" name="id353615"></a> -All NetBIOS names are up to 15 characters in length. The name_type variable -is added to the end of the name, thus creating a 16 character name. Any -name that is shorter than 15 characters is padded with spaces to the 15th -character. Thus, all NetBIOS names are 16 characters long (including the -name_type information). -</p><p> -<a class="indexterm" name="id353628"></a> -<a class="indexterm" name="id353635"></a> -<a class="indexterm" name="id353642"></a> -<a class="indexterm" name="id353648"></a> -WINS can store these 16-character names as they get registered. A client -that wants to log onto the network can ask the WINS server for a list -of all names that have registered the NetLogon service name_type. This saves -broadcast traffic and greatly expedites logon processing. Since broadcast -name resolution cannot be used across network segments, this type of -information can only be provided via WINS or via a statically configured -<code class="filename">lmhosts</code> file that must reside on all clients in the -absence of WINS. -</p><p> -<a class="indexterm" name="id353669"></a> -<a class="indexterm" name="id353675"></a> -<a class="indexterm" name="id353682"></a> -<a class="indexterm" name="id353688"></a> -<a class="indexterm" name="id353695"></a> -WINS also forces browse list synchronization by all LMBs. LMBs must synchronize their browse list with the -DMB, and WINS helps the LMB to identify its DMB. By definition this will work only within a single workgroup. -Note that the DMB has nothing to do with what is referred to as an MS Windows NT domain. The latter is a -reference to a security environment, while the DMB refers to the master controller for browse list information -only. -</p><p> -<a class="indexterm" name="id353709"></a> -<a class="indexterm" name="id353716"></a> -<a class="indexterm" name="id353723"></a> -<a class="indexterm" name="id353730"></a> -WINS will work correctly only if every client TCP/IP protocol stack -is configured to use the WINS servers. Any client that is not -configured to use the WINS server will continue to use only broadcast-based -name registration, so WINS may never get to know about it. In any case, -machines that have not registered with a WINS server will fail name-to-address -lookup attempts by other clients and will therefore cause workstation access -errors. -</p><p> -To configure Samba as a WINS server, just add -<a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = yes</a> to the <code class="filename">smb.conf</code> -file [global] section. -</p><p> -To configure Samba to register with a WINS server, just add <a class="link" href="smb.conf.5.html#WINSSERVER" target="_top">wins server = 10.0.0.18</a> to your <code class="filename">smb.conf</code> file <em class="parameter"><code>[global]</code></em> section. -</p><div class="important" title="Important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> -Never use <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = yes</a> together with <a class="link" href="smb.conf.5.html#WINSSERVER" target="_top">wins server = 10.0.0.18</a> particularly not using its own IP address. Specifying both will cause <span class="application">nmbd</span> -to refuse to start! -</p></div><div class="sect2" title="WINS Server Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id353824"></a>WINS Server Configuration</h3></div></div></div><p> -<a class="indexterm" name="id353832"></a> -Either a Samba server or a Windows NT server machine may be set up -as a WINS server. To configure a Samba server to be a WINS server, you must -add to the <code class="filename">smb.conf</code> file on the selected Server the following line to -the <em class="parameter"><code>[global]</code></em> section: -</p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id353861"></a><em class="parameter"><code>wins support = yes</code></em></td></tr></table><p> -</p><p> -<a class="indexterm" name="id353875"></a> -Versions of Samba prior to 1.9.17 had this parameter default to -yes. If you have any older versions of Samba on your network, it is -strongly suggested you upgrade to a recent version, or at the very -least set the parameter to <span class="quote">“<span class="quote">no</span>”</span> on all these machines. -</p><p> -Machines configured with <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = yes</a> will keep a list of -all NetBIOS names registered with them, acting as a DNS for NetBIOS names. -</p><p> -<a class="indexterm" name="id353906"></a> -It is strongly recommended to set up only one WINS server. Do not set the <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = yes</a> option on more than one Samba server on a network. -</p><p> -<a class="indexterm" name="id353928"></a> -<a class="indexterm" name="id353937"></a> -<a class="indexterm" name="id353943"></a> -<a class="indexterm" name="id353950"></a> -<a class="indexterm" name="id353957"></a> -To configure Windows NT/200x Server as a WINS server, install and configure the WINS service. See the Windows -NT/200x documentation for details. Windows NT/200x WINS servers can replicate to each other, allowing more -than one to be set up in a complex subnet environment. Because Microsoft refuses to document the replication -protocols, Samba cannot currently participate in these replications. It is possible that a Samba-to-Samba WINS -replication protocol may be defined in the future, in which case more than one Samba machine could be set up -as a WINS server. Currently only one Samba server should have the <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = yes</a> parameter set. -</p><p> -<a class="indexterm" name="id353983"></a> -<a class="indexterm" name="id353990"></a> -After the WINS server has been configured, you must ensure that all machines participating on the network are -configured with the address of this WINS server. If your WINS server is a Samba machine, fill in the Samba -machine IP address in the <span class="guilabel">Primary WINS Server</span> field of the <span class="guilabel">Control -Panel->Network->Protocols->TCP->WINS Server</span> dialogs in Windows 9x/Me or Windows NT/200x. To tell a -Samba server the IP address of the WINS server, add the following line to the <em class="parameter"><code>[global]</code></em> section of all <code class="filename">smb.conf</code> files: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id354029"></a><em class="parameter"><code>wins server = <name or IP address></code></em></td></tr></table><p> -where <name or IP address> is either the DNS name of the WINS server -machine or its IP address. -</p><p> -This line must not be set in the <code class="filename">smb.conf</code> file of the Samba -server acting as the WINS server itself. If you set both the -<a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = yes</a> option and the -<a class="link" href="smb.conf.5.html#WINSSERVER" target="_top">wins server = <name></a> option then -<code class="literal">nmbd</code> will fail to start. -</p><p> -<a class="indexterm" name="id354085"></a> -<a class="indexterm" name="id354091"></a> -<a class="indexterm" name="id354098"></a> -<a class="indexterm" name="id354105"></a> -There are two possible scenarios for setting up cross-subnet browsing. -The first details setting up cross-subnet browsing on a network containing -Windows 9x/Me, Samba, and Windows NT/200x machines that are not configured as -part of a Windows NT domain. The second details setting up cross-subnet -browsing on networks that contain NT domains. -</p></div><div class="sect2" title="WINS Replication"><div class="titlepage"><div><div><h3 class="title"><a name="id354117"></a>WINS Replication</h3></div></div></div><p> -<a class="indexterm" name="id354125"></a> -<a class="indexterm" name="id354134"></a> -Samba-3 does not support native WINS replication. There was an approach to implement it, called -<code class="filename">wrepld</code>, but it was never ready for action and the development is now discontinued. -</p><p> -Meanwhile, there is a project named <code class="filename">samba4WINS</code>, which makes it possible to -run the Samba-4 WINS server parallel to Samba-3 since version 3.0.21. More information about -<code class="filename">samba4WINS</code> are available at http://ftp.sernet.de/pub/samba4WINS. - -</p></div><div class="sect2" title="Static WINS Entries"><div class="titlepage"><div><div><h3 class="title"><a name="id354166"></a>Static WINS Entries</h3></div></div></div><p> -<a class="indexterm" name="id354174"></a> -<a class="indexterm" name="id354181"></a> -<a class="indexterm" name="id354188"></a> -<a class="indexterm" name="id354195"></a> -Adding static entries to your Samba WINS server is actually fairly easy. All you have to do is add a line to -<code class="filename">wins.dat</code>, typically located in <code class="filename">/usr/local/samba/var/locks</code> or <code class="filename">/var/run/samba</code>. -</p><p> -Entries in <code class="filename">wins.dat</code> take the form of: -</p><pre class="programlisting"> -"NAME#TYPE" TTL ADDRESS+ FLAGS -</pre><p> -<a class="indexterm" name="id354238"></a> -<a class="indexterm" name="id354245"></a> -where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the time-to-live as an absolute time in -seconds, ADDRESS+ is one or more addresses corresponding to the registration, and FLAGS are the NetBIOS flags -for the registration. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -A change that has been made to the <code class="filename">wins.dat</code> will not take effect until <span class="application">nmbd</span> has been -restarted. It should be noted that since the <code class="filename">wins.dat</code> file changes dynamically, <span class="application">nmbd</span> -should be stopped before editting this file. Do not forget to restart <span class="application">nmbd</span> when this file has been editted. -</p></div><p> -A typical dynamic entry looks like this: -</p><pre class="programlisting"> -"MADMAN#03" 1155298378 192.168.1.2 66R -</pre><p> -To make a NetBIOS name static (permanent), simply set the TTL to 0, like this: -</p><pre class="programlisting"> -"MADMAN#03" 0 192.168.1.2 66R -</pre><p> -</p><p> -<a class="indexterm" name="id354311"></a> -<a class="indexterm" name="id354318"></a> -<a class="indexterm" name="id354325"></a> -<a class="indexterm" name="id354332"></a> -<a class="indexterm" name="id354338"></a> -<a class="indexterm" name="id354345"></a> -<a class="indexterm" name="id354352"></a> -The NetBIOS flags may be interpreted as additive hexadecimal values: 00 - Broadcast node registration, 20 - -Peer node registration, 40 - Meta node registration, 60 - Hybrid node registration, 02 - Permanent name, 04 - -Active name, 80 - Group name. The 'R' indicates this is a registration record. Thus 66R means: Hybrid node -active and permanent NetBIOS name. These values may be found in the <code class="filename">nameserv.h</code> header -file from the Samba source code repository. These are the values for the NB flags. -</p><p> -<a class="indexterm" name="id354372"></a> -Though this method works with early Samba-3 versions, there is a possibility that it may change in future -versions if WINS replication is added. -</p></div></div><div class="sect1" title="Helpful Hints"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id354384"></a>Helpful Hints</h2></div></div></div><p> -The following hints should be carefully considered because they are stumbling points -for many new network administrators. -</p><div class="sect2" title="Windows Networking Protocols"><div class="titlepage"><div><div><h3 class="title"><a name="id354394"></a>Windows Networking Protocols</h3></div></div></div><p> -<a class="indexterm" name="id354401"></a> -<a class="indexterm" name="id354408"></a> -A common cause of browsing problems results from the installation of more than one protocol on an MS Windows -machine. -</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -Do not use more than one protocol on MS Windows clients. -</p></div><p> -<a class="indexterm" name="id354424"></a> -<a class="indexterm" name="id354431"></a> -Every NetBIOS machine takes part in a process of electing the LMB (and DMB) -every 15 minutes. A set of election criteria is used to determine the order -of precedence for winning this election process. A machine running Samba or -Windows NT will be biased, so the most suitable machine will predictably -win and thus retain its role. -</p><p> -<a class="indexterm" name="id354443"></a> -<a class="indexterm" name="id354450"></a> -<a class="indexterm" name="id354457"></a> -<a class="indexterm" name="id354464"></a> -<a class="indexterm" name="id354471"></a> -<a class="indexterm" name="id354477"></a> -The election process is <span class="emphasis"><em>fought out, so to speak</em></span> over every NetBIOS network interface. In -the case of a Windows 9x/Me machine that has both TCP/IP and IPX installed and has NetBIOS enabled over both -protocols, the election will be decided over both protocols. As often happens, if the Windows 9x/Me machine is -the only one with both protocols, then the LMB may be won on the NetBIOS interface over the IPX protocol. -Samba will then lose the LMB role because Windows 9x/Me will insist it knows who the LMB is. Samba will then -cease to function as an LMB, and browse list operation on all TCP/IP-only machines will therefore fail. -</p><p> -<a class="indexterm" name="id354496"></a> -<a class="indexterm" name="id354503"></a> -Windows 95, 98, 98se, and Me are referred to generically as Windows 9x/Me. The Windows NT4, 200x, and XP use -common protocols. These are roughly referred to as the Windows NT family, but it should be recognized that -2000 and XP/2003 introduce new protocol extensions that cause them to behave differently from MS Windows NT4. -Generally, where a server does not support the newer or extended protocol, these will fall back to the NT4 -protocols. -</p><p> -The safest rule of all to follow is: Use only one protocol! -</p></div><div class="sect2" title="Name Resolution Order"><div class="titlepage"><div><div><h3 class="title"><a name="id354520"></a>Name Resolution Order</h3></div></div></div><p> -<a class="indexterm" name="id354527"></a> -<a class="indexterm" name="id354534"></a> -Resolution of NetBIOS names to IP addresses can take place using a number -of methods. The only ones that can provide NetBIOS name_type information -are: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>WINS the best tool.</p></li><li class="listitem"><p>LMHOSTS static and hard to maintain.</p></li><li class="listitem"><p>Broadcast uses UDP and cannot resolve names across remote segments.</p></li></ul></div><p> -Alternative means of name resolution include: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Static <code class="filename">/etc/hosts</code> hard to maintain and lacks name_type info.</p></li><li class="listitem"><p>DNS is a good choice but lacks essential NetBIOS name_type information.</p></li></ul></div><p> -<a class="indexterm" name="id354600"></a> -<a class="indexterm" name="id354606"></a> -Many sites want to restrict DNS lookups and avoid broadcast name -resolution traffic. The <em class="parameter"><code>name resolve order</code></em> parameter is of great help here. -The syntax of the <em class="parameter"><code>name resolve order</code></em> parameter is: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id354631"></a><em class="parameter"><code>name resolve order = wins lmhosts bcast host</code></em></td></tr></table><p> -<span class="emphasis"><em>or</em></span> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id354651"></a><em class="parameter"><code>name resolve order = wins lmhosts (eliminates bcast and host)</code></em></td></tr></table><p> -The default is: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id354669"></a><em class="parameter"><code>name resolve order = host lmhost wins bcast</code></em></td></tr></table><p> -<a class="indexterm" name="id354681"></a> -where <span class="quote">“<span class="quote">host</span>”</span> refers to the native methods used by the UNIX system to implement the -gethostbyname() function call. This is normally controlled by <code class="filename">/etc/host.conf</code>, -<code class="filename">/etc/nsswitch.conf</code> and <code class="filename">/etc/resolv.conf</code>. -</p></div></div><div class="sect1" title="Technical Overview of Browsing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id354713"></a>Technical Overview of Browsing</h2></div></div></div><p> -<a class="indexterm" name="id354721"></a> -SMB networking provides a mechanism by which clients can access a list -of machines in a network called <a class="link" href="smb.conf.5.html#BROWSELIST" target="_top">browse list</a>. This list -contains machines that are ready to offer file and/or print services -to other machines within the network. It therefore does not include -machines that aren't currently able to do server tasks. The browse -list is heavily used by all SMB clients. Configuration of SMB -browsing has been problematic for some Samba users, hence this -document. -</p><p> -<a class="indexterm" name="id354746"></a> -<a class="indexterm" name="id354753"></a> -<a class="indexterm" name="id354760"></a> -MS Windows 2000 and later versions, as with Samba-3 and later versions, can be -configured to not use NetBIOS over TCP/IP. When configured this way, -it is imperative that name resolution (using DNS/LDAP/ADS) be correctly -configured and operative. Browsing will not work if name resolution -from SMB machine names to IP addresses does not function correctly. -</p><p> -<a class="indexterm" name="id354773"></a> -<a class="indexterm" name="id354780"></a> -Where NetBIOS over TCP/IP is enabled, use of a WINS server is highly -recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. -WINS allows remote segment clients to obtain NetBIOS name_type information -that cannot be provided by any other means of name resolution. -</p><div class="sect2" title="Browsing Support in Samba"><div class="titlepage"><div><div><h3 class="title"><a name="id354790"></a>Browsing Support in Samba</h3></div></div></div><p> -<a class="indexterm" name="id354798"></a> -<a class="indexterm" name="id354805"></a> -<a class="indexterm" name="id354811"></a> -<a class="indexterm" name="id354818"></a> -Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span> -and is also controlled by options in the <code class="filename">smb.conf</code> file. -Samba can act as an LMB for a workgroup, and the ability -to support domain logons and scripts is now available. -</p><p> -<a class="indexterm" name="id354842"></a> -<a class="indexterm" name="id354848"></a> -<a class="indexterm" name="id354855"></a> -Samba can also act as a DMB for a workgroup. This -means that it will collate lists from LMBs into a -wide-area network server list. In order for browse clients to -resolve the names they may find in this list, it is recommended that -both Samba and your clients use a WINS server. -</p><p> -<a class="indexterm" name="id354867"></a> -Do not set Samba to be the domain master for a workgroup that has the same -name as an NT Domain. On each wide-area network, you must only ever have one -DMB per workgroup, regardless of whether it is NT, Samba, -or any other type of domain master that is providing this service. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id354881"></a> -<a class="indexterm" name="id354888"></a> -<code class="literal">nmbd</code> can be configured as a WINS server, but it is not -necessary to specifically use Samba as your WINS server. MS Windows -NT4, Server or Advanced Server 200x can be configured as -your WINS server. In a mixed NT/200x server and Samba environment on -a WAN, it is recommended that you use the Microsoft -WINS server capabilities. In a Samba-only environment, it is -recommended that you use one and only one Samba server as the WINS server. -</p></div><p> -<a class="indexterm" name="id354907"></a> -To get browsing to work, you need to run <code class="literal">nmbd</code> as usual, but must -use the <a class="link" href="smb.conf.5.html#WORKGROUP" target="_top">workgroup</a> option in <code class="filename">smb.conf</code> -to control what workgroup Samba becomes a part of. -</p><p> -<a class="indexterm" name="id354941"></a> -Samba also has a useful option for a Samba server to offer itself for browsing on another subnet. It is -recommended that this option is used only for <span class="quote">“<span class="quote">unusual</span>”</span> purposes: announcements over the -Internet, for example. See <a class="link" href="smb.conf.5.html#REMOTEANNOUNCE" target="_top">remote announce</a> in the <code class="filename">smb.conf</code> man page. -</p></div><div class="sect2" title="Problem Resolution"><div class="titlepage"><div><div><h3 class="title"><a name="id354972"></a>Problem Resolution</h3></div></div></div><p> -<a class="indexterm" name="id354979"></a> -<a class="indexterm" name="id354986"></a> -If something does not work, the <code class="filename">log.nmbd</code> file will help -to track down the problem. Try a <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> of 2 or 3 for finding -problems. Also note that the current browse list usually gets stored -in text form in a file called <code class="filename">browse.dat</code>. -</p><p> -<a class="indexterm" name="id355020"></a> -<a class="indexterm" name="id355027"></a> -If it does not work, you should still be able to -type the server name as <code class="filename">\\SERVER</code> in <code class="literal">filemanager</code>, then -press enter, and <code class="literal">filemanager</code> should display the list of available shares. -</p><p> -<a class="indexterm" name="id355055"></a> -<a class="indexterm" name="id355062"></a> -Some people find browsing fails because they do not have the global -<a class="link" href="smb.conf.5.html#GUESTACCOUNT" target="_top">guest account</a> set to a valid account. Remember that the -IPC$ connection that lists the shares is done as guest and so you must have a valid guest account. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id355087"></a> -<a class="indexterm" name="id355093"></a> -<a class="indexterm" name="id355100"></a> -<a class="indexterm" name="id355106"></a> -<a class="indexterm" name="id355113"></a> -The <code class="literal">IPC$</code> share is used by all SMB/CIFS clients to obtain the list of resources that is -available on the server. This is the source of the list of shares and printers when browsing an SMB/CIFS -server (also Windows machines) using the Windows Explorer to browse resources through the Windows Network -Neighborhood (also called My Network Places) through to a Windows server. At this point, the client has opened -a connection to the <code class="literal">\\server\IPC4</code> resource. Clicking on a share will then open up a -connection to the <code class="literal">\\server\share</code>. -</p></div><p> -<a class="indexterm" name="id355145"></a> -<a class="indexterm" name="id355152"></a> -<a class="indexterm" name="id355158"></a> -<a class="indexterm" name="id355165"></a> -MS Windows 2000 and later (as with Samba) can be configured to disallow -anonymous (i.e., guest account) access to the IPC$ share. In that case, the -MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the -name of the currently logged-in user to query the IPC$ share. MS Windows -9x/Me clients are not able to do this and thus will not be able to browse -server resources. -</p><p> -<a class="indexterm" name="id355182"></a> -The other big problem people have is that their broadcast address, -netmask, or IP address is wrong (specified with the <a class="link" href="smb.conf.5.html#INTERFACES" target="_top">interfaces</a> option -in <code class="filename">smb.conf</code>) -</p></div><div class="sect2" title="Cross-Subnet Browsing"><div class="titlepage"><div><div><h3 class="title"><a name="id355210"></a>Cross-Subnet Browsing</h3></div></div></div><p> -<a class="indexterm" name="id355217"></a> -<a class="indexterm" name="id355226"></a> -Since the release of Samba 1.9.17 (alpha1), Samba has supported the replication of browse lists across subnet -boundaries. This section describes how to set this feature up in different settings. -</p><p> -<a class="indexterm" name="id355238"></a> -<a class="indexterm" name="id355245"></a> -<a class="indexterm" name="id355252"></a> -<a class="indexterm" name="id355258"></a> -<a class="indexterm" name="id355265"></a> -<a class="indexterm" name="id355272"></a> -To see browse lists that span TCP/IP subnets (i.e., networks separated by routers that do not pass broadcast -traffic), you must set up at least one WINS server. The WINS server acts as a DNS for NetBIOS names. This will -allow NetBIOS name-to-IP address translation to be completed by a direct query of the WINS server. This is -done via a directed UDP packet on port 137 to the WINS server machine. The WINS server avoids the necessity of -default NetBIOS name-to-IP address translation, which is done using UDP broadcasts from the querying machine. -This means that machines on one subnet will not be able to resolve the names of machines on another subnet -without using a WINS server. The Samba hacks, <em class="parameter"><code>remote browse sync</code></em>, and <em class="parameter"><code>remote -announce</code></em> are designed to get around the natural limitations that prevent UDP broadcast -propagation. The hacks are not a universal solution and they should not be used in place of WINS, they are -considered last resort methods. -</p><p> -<a class="indexterm" name="id355302"></a> -<a class="indexterm" name="id355308"></a> -<a class="indexterm" name="id355315"></a> -<a class="indexterm" name="id355322"></a> -Remember, for browsing across subnets to work correctly, all machines, be they Windows 95, Windows NT, or -Samba servers, must have the IP address of a WINS server given to them by a DHCP server or by manual -configuration: for Windows 9x/Me and Windows NT/200x/XP, this is in the TCP/IP Properties, under Network -settings; for Samba, this is in the <code class="filename">smb.conf</code> file. -</p><p> -<a class="indexterm" name="id355341"></a> -<a class="indexterm" name="id355348"></a> -<a class="indexterm" name="id355354"></a> -It is possible to operate Samba-3 without NetBIOS over TCP/IP. If you do this, be warned that if used outside -of MS ADS, this will forgo network browsing support. ADS permits network browsing support through DNS, -providing appropriate DNS records are inserted for all Samba servers. -</p><div class="sect3" title="Behavior of Cross-Subnet Browsing"><div class="titlepage"><div><div><h4 class="title"><a name="id355365"></a>Behavior of Cross-Subnet Browsing</h4></div></div></div><p> -<a class="indexterm" name="id355372"></a> -<a class="indexterm" name="id355379"></a> -Cross-subnet browsing is a complicated dance, containing multiple moving parts. It has taken Microsoft several -years to get the code that correctly achieves this, and Samba lags behind in some areas. Samba is capable of -cross-subnet browsing when configured correctly. -</p><p> -Consider a network set up as in <a class="link" href="NetworkBrowsing.html#browsing1" title="Figure 10.1. Cross-Subnet Browsing Example.">Cross-Subnet Browsing Example</a>. -</p><div class="figure"><a name="browsing1"></a><p class="title"><b>Figure 10.1. Cross-Subnet Browsing Example.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/browsing1.png" width="216" alt="Cross-Subnet Browsing Example."></div></div></div><br class="figure-break"><p> -<a class="indexterm" name="id355443"></a> -<a class="indexterm" name="id355450"></a> -<a class="indexterm" name="id355457"></a> -This consists of three subnets (1, 2, 3) connected by two routers (R1, R2), which do not pass broadcasts. -Subnet 1 has five machines on it, subnet 2 has four machines, and subnet 3 has four machines. Assume for the -moment that all machines are configured to be in the same workgroup (for simplicity's sake). Machine N1_C on -subnet 1 is configured as the DMB (i.e., it will collate the browse lists for the workgroup). Machine N2_D is -configured as a WINS server, and all the other machines are configured to register their NetBIOS names with -it. -</p><p> -<a class="indexterm" name="id355471"></a> -<a class="indexterm" name="id355478"></a> -<a class="indexterm" name="id355485"></a> -As these machines are booted up, elections for master browsers -take place on each of the three subnets. Assume that machine -N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on -subnet 3. These machines are known as LMBs for -their particular subnet. N1_C has an advantage in winning as the -LMB on subnet 1 because it is set up as DMB. -</p><p> -<a class="indexterm" name="id355498"></a> -<a class="indexterm" name="id355504"></a> -On each of the three networks, machines that are configured to offer sharing services will broadcast that they -are offering these services. The LMB on each subnet will receive these broadcasts and keep a record of the -fact that the machine is offering a service. This list of records is the basis of the browse list. For this -case, assume that all the machines are configured to offer services, so all machines will be on the browse -list. -</p><p> -<a class="indexterm" name="id355518"></a> -<a class="indexterm" name="id355524"></a> -<a class="indexterm" name="id355531"></a> -<a class="indexterm" name="id355538"></a> -<a class="indexterm" name="id355545"></a> -For each network, the LMB on that network is -considered <span class="emphasis"><em>authoritative</em></span> for all the names it receives via -local broadcast. This is because a machine seen by the LMB -via a local broadcast must be on the same network as the -Local Master Browser and thus is a <span class="emphasis"><em>trusted</em></span> -and <span class="emphasis"><em>verifiable</em></span> resource. Machines on other networks that -the LMBs learn about when collating their -browse lists have not been directly seen. These records are -called <span class="emphasis"><em>non-authoritative.</em></span> -</p><p> -<a class="indexterm" name="id355573"></a> -At this point the browse lists appear as shown in <a class="link" href="NetworkBrowsing.html#browsubnet" title="Table 10.1. Browse Subnet Example 1">Browse Subnet Example 1</a> -(these are the machines you would see in your network neighborhood if you looked in it on a particular network -right now). -</p><p> -</p><div class="table"><a name="browsubnet"></a><p class="title"><b>Table 10.1. Browse Subnet Example 1</b></p><div class="table-contents"><table summary="Browse Subnet Example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div></div><p><br class="table-break"> -</p><p> -At this point all the subnets are separate, and no machine is seen across any of the subnets. -</p><p> -<a class="indexterm" name="id355663"></a> -<a class="indexterm" name="id355670"></a> -<a class="indexterm" name="id355676"></a> -<a class="indexterm" name="id355683"></a> -Now examine subnet 2 in <a class="link" href="NetworkBrowsing.html#brsbex" title="Table 10.2. Browse Subnet Example 2">Browse Subnet Example 2</a>. As soon as N2_B has become the -LMB, it looks for a DMB with which to synchronize its browse list. It does this by querying the WINS server -(N2_D) for the IP address associated with the NetBIOS name WORKGROUP<1B>. This name was registered by -the DMB (N1_C) with the WINS server as soon as it was started. -</p><p> -<a class="indexterm" name="id355705"></a> -<a class="indexterm" name="id355711"></a> -<a class="indexterm" name="id355718"></a> -<a class="indexterm" name="id355725"></a> -Once N2_B knows the address of the DMB, it tells the DMB that it is the LMB -for subnet 2 by sending the DMB a -<span class="emphasis"><em>MasterAnnouncement</em></span> packet to UDP port 138. It then -synchronizes with the DMB by -doing a <span class="emphasis"><em>NetServerEnum2</em></span> call. This tells the DMB to -send the sender all the server names it knows -about. Once the DMB receives the <span class="emphasis"><em>MasterAnnouncement</em></span> packet, it schedules a -synchronization request to the sender of that packet. After both synchronizations are complete, the browse -lists look like those in <a class="link" href="NetworkBrowsing.html#brsbex" title="Table 10.2. Browse Subnet Example 2">Browse Subnet Example 2</a> -</p><div class="table"><a name="brsbex"></a><p class="title"><b>Table 10.2. Browse Subnet Example 2</b></p><div class="table-contents"><table summary="Browse Subnet Example 2" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E, -N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*), -N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div></div><br class="table-break"><p> -<a class="indexterm" name="id355833"></a> -Servers with an (*) after them are non-authoritative names. -</p><p> -<a class="indexterm" name="id355844"></a> -At this point users looking in their Network Neighborhood on subnets 1 or 2 will see all the servers on both; -users on subnet 3 will still see only the servers on their own subnet. -</p><p> -<a class="indexterm" name="id355855"></a> -The same sequence of events that occurred for N2_B now occurs for the LMB on subnet 3 (N3_D). When it -synchronizes browse lists with the DMB (N1_A) it gets both the server entries on subnet 1 and those on subnet -2. After N3_D has synchronized with N1_C and vica versa, the browse lists will appear as shown in <a class="link" href="NetworkBrowsing.html#brsex2" title="Table 10.3. Browse Subnet Example 3">Browse Subnet Example 3</a> -</p><div class="table"><a name="brsex2"></a><p class="title"><b>Table 10.3. Browse Subnet Example 3</b></p><div class="table-contents"><table summary="Browse Subnet Example 3" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E, -N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*), -N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*), -N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div></div><br class="table-break"><p> -Servers with an (*) after them are non-authoritative names. -</p><p> -At this point, users looking in their Network Neighborhood on -subnets 1 or 3 will see all the servers on all subnets, while users on -subnet 2 will still see only the servers on subnets 1 and 2, but not 3. -</p><p> -<a class="indexterm" name="id355965"></a> -<a class="indexterm" name="id355971"></a> -<a class="indexterm" name="id355978"></a> -Finally, the LMB for subnet 2 (N2_B) will sync again -with the DMB (N1_C) and will receive the missing -server entries. Finally, as when a steady state (if no machines -are removed or shut off) has been achieved, the browse lists will appear -as shown in <a class="link" href="NetworkBrowsing.html#brsex3" title="Table 10.4. Browse Subnet Example 4">Browse Subnet Example 4</a>. -</p><div class="table"><a name="brsex3"></a><p class="title"><b>Table 10.4. Browse Subnet Example 4</b></p><div class="table-contents"><table summary="Browse Subnet Example 4" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E, -N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), -N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*), -N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), -N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*), -N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), -N2_C(*), N2_D(*)</td></tr></tbody></table></div></div><br class="table-break"><p> -Servers with an (*) after them are non-authoritative names. -</p><p> -Synchronizations between the DMB and LMBs -will continue to occur, but this should remain a -steady-state operation. -</p><p> -If either router R1 or R2 fails, the following will occur: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> -<a class="indexterm" name="id356100"></a> - Names of computers on each side of the inaccessible network fragments - will be maintained for as long as 36 minutes in the Network Neighborhood - lists. - </p></li><li class="listitem"><p> - Attempts to connect to these inaccessible computers will fail, but the - names will not be removed from the Network Neighborhood lists. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id356122"></a> -<a class="indexterm" name="id356129"></a> -<a class="indexterm" name="id356136"></a> - If one of the fragments is cut off from the WINS server, it will only - be able to access servers on its local subnet using subnet-isolated - broadcast NetBIOS name resolution. The effect is similar to that of - losing access to a DNS server. - </p></li></ol></div></div></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id356151"></a>Common Errors</h2></div></div></div><p> -<a class="indexterm" name="id356159"></a> -<a class="indexterm" name="id356165"></a> -Many questions are asked on the mailing lists regarding browsing. The majority of browsing -problems originate from incorrect configuration of NetBIOS name resolution. Some are of -particular note. -</p><div class="sect2" title="Flushing the Samba NetBIOS Name Cache"><div class="titlepage"><div><div><h3 class="title"><a name="id356175"></a>Flushing the Samba NetBIOS Name Cache</h3></div></div></div><p> -How Can One Flush the Samba NetBIOS Name Cache without Restarting Samba? -</p><p> -<a class="indexterm" name="id356186"></a> -<a class="indexterm" name="id356193"></a> -<a class="indexterm" name="id356200"></a> -<a class="indexterm" name="id356206"></a> -Samba's <code class="literal">nmbd</code> process controls all browse list handling. Under normal circumstances it is -safe to restart <code class="literal">nmbd</code>. This will effectively flush the Samba NetBIOS name cache and cause it -to be rebuilt. This does not make certain that a rogue machine name will not reappear -in the browse list. When <code class="literal">nmbd</code> is taken out of service, another machine on the network will -become the browse master. This new list may still have the rogue entry in it. If you really -want to clear a rogue machine from the list, every machine on the network must be -shut down and restarted after all machines are down. Failing a complete restart, the only -other thing you can do is wait until the entry times out and is then flushed from the list. -This may take a long time on some networks (perhaps months). -</p></div><div class="sect2" title="Server Resources Cannot Be Listed"><div class="titlepage"><div><div><h3 class="title"><a name="id356240"></a>Server Resources Cannot Be Listed</h3></div></div></div><p><span class="quote">“<span class="quote">My Client Reports "<span class="quote">‘<span class="quote">This server is not configured to list shared resources."</span>’</span></span>”</span></p><p> -Your guest account is probably invalid for some reason. Samba uses the -guest account for browsing in <code class="literal">smbd</code>. Check that your guest account is -valid. -</p><p>Also see <a class="link" href="smb.conf.5.html#GUESTACCOUNT" target="_top">guest account</a> in the <code class="filename">smb.conf</code> man page.</p></div><div class="sect2" title='I Get an "Unable to browse the network" Error'><div class="titlepage"><div><div><h3 class="title"><a name="id356285"></a>I Get an "<span class="errorname">Unable to browse the network</span>" Error</h3></div></div></div><p>This error can have multiple causes: -<a class="indexterm" name="id356297"></a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>There is no LMB. Configure <span class="application">nmbd</span> - or any other machine to serve as LMB.</p></li><li class="listitem"><p>You cannot log onto the machine that is the LMB. - Can you log on to it as a guest user? </p></li><li class="listitem"><p>There is no IP connectivity to the LMB. - Can you reach it by broadcast?</p></li></ul></div></div><div class="sect2" title="Browsing of Shares and Directories is Very Slow"><div class="titlepage"><div><div><h3 class="title"><a name="id356329"></a>Browsing of Shares and Directories is Very Slow</h3></div></div></div><p><span class="quote">“<span class="quote"> -<a class="indexterm" name="id356338"></a> -There are only two machines on a test network. One is a Samba server, the other a Windows XP machine. -Authentication and logons work perfectly, but when I try to explore shares on the Samba server, the -Windows XP client becomes unresponsive. Sometimes it does not respond for some minutes. Eventually, -Windows Explorer will respond and displays files and directories without problem. -</span>”</span> -</p><p><span class="quote">“<span class="quote"> -<a class="indexterm" name="id356354"></a> -But, the share is immediately available from a command shell (<code class="literal">cmd</code>, followed by -exploration with DOS command. Is this a Samba problem, or is it a Windows problem? How can I solve this? -</span>”</span></p><p> -Here are a few possibilities: -</p><div class="variablelist"><dl><dt><span class="term">Bad Networking Hardware</span></dt><dd><p> -<a class="indexterm" name="id356383"></a> -<a class="indexterm" name="id356390"></a> -<a class="indexterm" name="id356397"></a> -<a class="indexterm" name="id356404"></a> -<a class="indexterm" name="id356410"></a> - Most common defective hardware problems center around low cost or defective hubs, routers, - network interface controllers (NICs), and bad wiring. If one piece of hardware is defective, - the whole network may suffer. Bad networking hardware can cause data corruption. Most bad - networking hardware problems are accompanied by an increase in apparent network traffic, - but not all. - </p></dd><dt><span class="term">The Windows XP WebClient</span></dt><dd><p> -<a class="indexterm" name="id356432"></a> - A number of sites have reported similar slow network browsing problems and found that when - the WebClient service is turned off, the problem disappears. This is certainly something - that should be explored because it is a simple solution if it works. - </p></dd><dt><span class="term">Inconsistent WINS Configuration</span></dt><dd><p> -<a class="indexterm" name="id356455"></a> -<a class="indexterm" name="id356461"></a> - This type of problem is common when one client is configured to use a WINS server (that is - a TCP/IP configuration setting) and there is no WINS server on the network. Alternatively, - this will happen if there is a WINS server and Samba is not configured to use it. The use of - WINS is highly recommended if the network is using NetBIOS over TCP/IP protocols. If use - of NetBIOS over TCP/IP is disabled on all clients, Samba should not be configured as a WINS - server, nor should it be configured to use one. - </p></dd><dt><span class="term">Incorrect DNS Configuration</span></dt><dd><p> -<a class="indexterm" name="id356484"></a> -<a class="indexterm" name="id356490"></a> - If use of NetBIOS over TCP/IP is disabled, Active Directory is in use and the DNS server - has been incorrectly configured. For further information refer to - <a class="link" href="NetworkBrowsing.html#adsdnstech" title="DNS and Active Directory">DNS and Active Directory</a>. - </p></dd></dl></div></div><div class="sect2" title="Invalid Cached Share References Affects Network Browsing"><div class="titlepage"><div><div><h3 class="title"><a name="id356510"></a>Invalid Cached Share References Affects Network Browsing</h3></div></div></div><p> -<a class="indexterm" name="id356518"></a> -<a class="indexterm" name="id356525"></a> -Cached references on your MS Windows client (workstation or server) to shares or servers that no longer exist -can cause MS Windows Explorer to appear unresponsive as it tries to connect to these shares. After a delay -(can take a long time) it times out and browsing will appear to be mostly normal again. -</p><p> -To eliminate the problem the stale cached references should be removed. This does not happen automatically and -requires manual intervention. This is a design feature of MS Windows and not anything that Samba can change. -To remove the stale shortcuts found in <span class="emphasis"><em>My Network Places</em></span> which refer to what are now -invalid shares or servers it is necessary to edit the Windows Registry under -<code class="literal">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\</code>. Edit the entry -<code class="literal">MountPoints2</code> (on Windows XP and later, or <code class="literal">MountPoints</code> on Windows 2000 -and earlier). Remove all keys named <code class="literal">\\server\share</code> (where 'server' and 'share' refer to a -non-existent server or share). -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Removal of stale network links needs to be done on a per-user basis. Alternately, you can delete the -shortcuts from the MS Windows Explorer in <code class="literal">My Network Places</code> just by right-clicking them and -selecting <span class="emphasis"><em>Delete.</em></span> -</p></div><p> -<a class="indexterm" name="id356588"></a> -Samba users have reported that these stale references negatively affect network browsing with Windows, Samba, -and Novell servers. It is suspected to be a universal problem not directly related to the Samba -server. Samba users may experience this more often due to Samba being somewhat viewed as an experimenter's -toolkit. This results from the fact that a user might go through several reconfigurations and incarnations of -their Samba server, by different names, with different shares, increasing the chances for having stale -(invalid) cached share references. Windows clients do not expire these references thus necessitating manual -removal. -</p><p> -It is common for <span class="emphasis"><em>Open</em></span> dialog boxes (for example; in Word and Excel) to respond very -slowly, as they attempt to locate all of the cached references, even if they are not in the current directory -being accessed. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ChangeNotes.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 9. Important and Critical Change Notes for the Samba 3.x Series </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Other-Clients.html b/docs/htmldocs/Samba3-HOWTO/Other-Clients.html deleted file mode 100644 index c170b80fab..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/Other-Clients.html +++ /dev/null @@ -1,151 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 44. Samba and Other CIFS Clients</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="Portability.html" title="Chapter 43. Portability"><link rel="next" href="speed.html" title="Chapter 45. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 44. Samba and Other CIFS Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 44. Samba and Other CIFS Clients"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 44. Samba and Other CIFS Clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><span class="contrib">OS/2</span> <div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>></code></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Other-Clients.html#id451283">Macintosh Clients</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id451358">OS2 Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451364">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451474">Configuring Other Versions of OS/2</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451524">Printer Driver Download for OS/2 Clients</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451608">Windows for Workgroups</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451614">Latest TCP/IP Stack from Microsoft</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451692">Delete .pwl Files After Password Change</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451713">Configuring Windows for Workgroups Password Handling</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451768">Password Case Sensitivity</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451795">Use TCP/IP as Default Protocol</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#speedimpr">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451846">Windows 95/98</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451910">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451928">Windows 2000 Service Pack 2</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452108">Windows NT 3.1</a></span></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" title="Macintosh Clients"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451283"></a>Macintosh Clients</h2></div></div></div><p> -<a class="indexterm" name="id451291"></a> -Yes. <a class="ulink" href="http://www.thursby.com/" target="_top">Thursby</a> has a CIFS client/server called <a class="ulink" href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>. They test it against Windows 95, Windows -NT/200x/XP, and Samba for compatibility issues. At the time of this writing, DAVE was at version 5.1. Please -refer to Thursby's Web site for more information regarding this product. -</p><p> -<a class="indexterm" name="id451315"></a> -<a class="indexterm" name="id451322"></a> -Alternatives include two free implementations of AppleTalk for several kinds of UNIX machines and several more -commercial ones. These products allow you to run file services and print services natively to Macintosh -users, with no additional support required on the Macintosh. The two free implementations are <a class="ulink" href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a> and <a class="ulink" href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>. What Samba offers MS Windows users, these -packages offer to Macs. For more info on these packages, Samba, and Linux (and other UNIX-based systems), see -<a class="ulink" href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html.</a> -</p><p>Newer versions of the Macintosh (Mac OS X) include Samba.</p></div><div class="sect1" title="OS2 Client"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451358"></a>OS2 Client</h2></div></div></div><div class="sect2" title="Configuring OS/2 Warp Connect or OS/2 Warp 4"><div class="titlepage"><div><div><h3 class="title"><a name="id451364"></a>Configuring OS/2 Warp Connect or OS/2 Warp 4</h3></div></div></div><p>Basically, you need three components:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>The File and Print Client (IBM peer)</p></li><li class="listitem"><p>TCP/IP (Internet support) </p></li><li class="listitem"><p>The <span class="quote">“<span class="quote">NetBIOS over TCP/IP</span>”</span> driver (TCPBEUI)</p></li></ul></div><p>Installing the first two together with the base operating - system on a blank system is explained in the Warp manual. If Warp - has already been installed, but you now want to install the - networking support, use the <span class="quote">“<span class="quote">Selective Install for Networking</span>”</span> - object in the <span class="quote">“<span class="quote">System Setup</span>”</span> folder.</p><p>Adding the <span class="quote">“<span class="quote">NetBIOS over TCP/IP</span>”</span> driver is not described - in the manual and just barely in the online documentation. Start - <code class="literal">MPTS.EXE</code>, click on <span class="guiicon">OK</span>, click on <span class="guimenu">Configure LAPS</span>, and click - on <span class="guimenu">IBM OS/2 NETBIOS OVER TCP/IP</span> in <span class="guilabel">Protocols</span>. This line - is then moved to <span class="guilabel">Current Configuration</span>. Select that line, - click on <span class="guimenuitem">Change number</span>, and increase it from 0 to 1. Save this - configuration.</p><p>If the Samba server is not on your local subnet, you - can optionally add IP names and addresses of these servers - to the <span class="guimenu">Names List</span> or specify a WINS server (NetBIOS - Nameserver in IBM and RFC terminology). For Warp Connect, you - may need to download an update for <code class="constant">IBM Peer</code> to bring it on - the same level as Warp 4. See the IBM OS/2 Warp Web page</p></div><div class="sect2" title="Configuring Other Versions of OS/2"><div class="titlepage"><div><div><h3 class="title"><a name="id451474"></a>Configuring Other Versions of OS/2</h3></div></div></div><p>This sections deals with configuring OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x.</p><p>You can use the free Microsoft LAN Manager 2.2c Client for OS/2 that is - available from - <a class="ulink" href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top"> - ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>. In a nutshell, edit - the file <code class="filename">\OS2VER</code> in the root directory of the OS/2 boot partition and add the lines:</p><pre class="programlisting"> - 20=setup.exe - 20=netwksta.sys - 20=netvdd.sys - </pre><p>before you install the client. Also, do not use the included NE2000 driver because it is buggy. - Try the NE2000 or NS2000 driver from <a class="ulink" href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top"> - ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead. - </p></div><div class="sect2" title="Printer Driver Download for OS/2 Clients"><div class="titlepage"><div><div><h3 class="title"><a name="id451524"></a>Printer Driver Download for OS/2 Clients</h3></div></div></div><p>Create a share called <em class="parameter"><code>[PRINTDRV]</code></em> that is - world-readable. Copy your OS/2 driver files there. The <code class="filename">.EA_</code> - files must still be separate, so you will need to use the original install files - and not copy an installed driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then, add to your <code class="filename">smb.conf</code> a parameter, - <a class="link" href="smb.conf.5.html#OS2DRIVERMAP" target="_top">os2 driver map</a>. - Next, in the file specified by <em class="replaceable"><code>filename</code></em>, map the - name of the NT driver name to the OS/2 driver name as follows:</p><p><em class="parameter"><code><em class="replaceable"><code>nt driver name</code></em> = <em class="replaceable"><code>os2 driver name</code></em>.<em class="replaceable"><code>device name</code></em></code></em>, e.g.,</p><p><em class="parameter"><code> - HP LaserJet 5L = LASERJET.HP LaserJet 5L</code></em></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the - device name, the first attempt to download the driver will - actually download the files, but the OS/2 client will tell - you the driver is not available. On the second attempt, it - will work. This is fixed simply by adding the device name - to the mapping, after which it will work on the first attempt. - </p></div></div><div class="sect1" title="Windows for Workgroups"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451608"></a>Windows for Workgroups</h2></div></div></div><div class="sect2" title="Latest TCP/IP Stack from Microsoft"><div class="titlepage"><div><div><h3 class="title"><a name="id451614"></a>Latest TCP/IP Stack from Microsoft</h3></div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows -for Workgroups. The early TCP/IP stacks had lots of bugs.</p><p> -Microsoft has released an incremental upgrade to its TCP/IP 32-bit VxD drivers. The latest release can be -found at ftp.microsoft.com, located in <code class="filename">/Softlib/MSLFILES/TCP32B.EXE</code>. There is an -update.txt file there that describes the problems that were fixed. New files include -<code class="filename">WINSOCK.DLL</code>, <code class="filename">TELNET.EXE</code>, <code class="filename">WSOCK.386</code>, -<code class="filename">VNBT.386</code>, <code class="filename">WSTCP.386</code>, <code class="filename">TRACERT.EXE</code>, -<code class="filename">NETSTAT.EXE</code>, and <code class="filename">NBTSTAT.EXE</code>. -</p><p> -More information about this patch is available in <a class="ulink" href="http://support.microsoft.com/kb/q99891/" target="_top">Knowledge Base article 99891</a>. -</p></div><div class="sect2" title="Delete .pwl Files After Password Change"><div class="titlepage"><div><div><h3 class="title"><a name="id451692"></a>Delete .pwl Files After Password Change</h3></div></div></div><p> -Windows for Workgroups does a lousy job with passwords. When you change passwords on either -the UNIX box or the PC, the safest thing to do is delete the .pwl files in the Windows -directory. The PC will complain about not finding the files, but will soon get over it, -allowing you to enter the new password. -</p><p> -If you do not do this, you may find that Windows for Workgroups remembers and uses the old -password, even if you told it a new one. -</p><p> -Often Windows for Workgroups will totally ignore a password you give it in a dialog box. -</p></div><div class="sect2" title="Configuring Windows for Workgroups Password Handling"><div class="titlepage"><div><div><h3 class="title"><a name="id451713"></a>Configuring Windows for Workgroups Password Handling</h3></div></div></div><p> -<a class="indexterm" name="id451721"></a> -There is a program call <code class="filename">admincfg.exe</code> on the last disk (disk 8) of the WFW 3.11 disk set. -To install it, type <strong class="userinput"><code>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</code></strong>. Then add an icon -for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> menu. This program allows -you to control how WFW handles passwords, Disable Password Caching and so on, for use with <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a>. -</p></div><div class="sect2" title="Password Case Sensitivity"><div class="titlepage"><div><div><h3 class="title"><a name="id451768"></a>Password Case Sensitivity</h3></div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. -UNIX passwords can be case-sensitive though. Check the <code class="filename">smb.conf</code> information on -<a class="link" href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> to specify what characters -Samba should try to uppercase when checking.</p></div><div class="sect2" title="Use TCP/IP as Default Protocol"><div class="titlepage"><div><div><h3 class="title"><a name="id451795"></a>Use TCP/IP as Default Protocol</h3></div></div></div><p>To support print queue reporting, you may find -that you have to use TCP/IP as the default protocol under -Windows for Workgroups. For some reason, if you leave NetBEUI as the default, -it may break the print queue reporting on some systems. -It is presumably a Windows for Workgroups bug.</p></div><div class="sect2" title="Speed Improvement"><div class="titlepage"><div><div><h3 class="title"><a name="speedimpr"></a>Speed Improvement</h3></div></div></div><p> -Note that some people have found that setting <em class="parameter"><code>DefaultRcvWindow</code></em> in -the <em class="parameter"><code>[MSTCP]</code></em> section of the -<code class="filename">SYSTEM.INI</code> file under Windows for Workgroups to 3072 gives a -big improvement. -</p><p> -My own experience with DefaultRcvWindow is that I get a much better -performance with a large value (16384 or larger). Other people have -reported that anything over 3072 slows things down enormously. One -person even reported a speed drop of a factor of 30 when he went from -3072 to 8192. -</p></div></div><div class="sect1" title="Windows 95/98"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451846"></a>Windows 95/98</h2></div></div></div><p> -When using Windows 95 OEM SR2, the following updates are recommended where Samba -is being used. Please note that the changes documented in -<a class="link" href="Other-Clients.html#speedimpr" title="Speed Improvement">Speed Improvement</a> will affect you once these -updates have been installed. -</p><p> -There are more updates than the ones mentioned here. Refer to the -Microsoft Web site for all currently available updates to your specific version -of Windows 95. -</p><table border="0" summary="Simple list" class="simplelist"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p> -Also, if using <span class="application">MS Outlook,</span> it is desirable to -install the <code class="literal">OLEUPD.EXE</code> fix. This -fix may stop your machine from hanging for an extended period when exiting -Outlook, and you may notice a significant speedup when accessing network -neighborhood services. -</p><div class="sect2" title="Speed Improvement"><div class="titlepage"><div><div><h3 class="title"><a name="id451910"></a>Speed Improvement</h3></div></div></div><p> -Configure the Windows 95 TCP/IP registry settings to give better -performance. I use a program called <code class="literal">MTUSPEED.exe</code> that I got off the -Internet. There are various other utilities of this type freely available. -</p></div></div><div class="sect1" title="Windows 2000 Service Pack 2"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451928"></a>Windows 2000 Service Pack 2</h2></div></div></div><p> -There are several annoyances with Windows 2000 SP2, one of which -only appears when using a Samba server to host user profiles -to Windows 2000 SP2 clients in a Windows domain. This assumes -that Samba is a member of the domain, but the problem will -most likely occur if it is not. -</p><p> -In order to serve profiles successfully to Windows 2000 SP2 -clients (when not operating as a PDC), Samba must have -<a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support = no</a> -added to the file share that houses the roaming profiles. -If this is not done, then the Windows 2000 SP2 client will -complain about not being able to access the profile (Access -Denied) and create multiple copies of it on disk (DOMAIN.user.001, -DOMAIN.user.002, and so on). See the <code class="filename">smb.conf</code> man page -for more details on this option. Also note that the -<a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support</a> parameter was formally a global parameter in -releases prior to Samba 2.2.2. -</p><p> -<a class="link" href="Other-Clients.html#minimalprofile" title="Example 44.1. Minimal Profile Share">Following example</a> provides a minimal profile share. -</p><div class="example"><a name="minimalprofile"></a><p class="title"><b>Example 44.1. Minimal Profile Share</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[profile]</code></em></td></tr><tr><td><a class="indexterm" name="id452010"></a><em class="parameter"><code>path = /export/profile</code></em></td></tr><tr><td><a class="indexterm" name="id452021"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id452033"></a><em class="parameter"><code>directory mask = 0700</code></em></td></tr><tr><td><a class="indexterm" name="id452044"></a><em class="parameter"><code>nt acl support = no</code></em></td></tr><tr><td><a class="indexterm" name="id452056"></a><em class="parameter"><code>read only = no</code></em></td></tr></table></div></div><br class="example-break"><p> -The reason for this bug is that the Windows 200x SP2 client copies -the security descriptor for the profile that contains -the Samba server's SID, and not the domain SID. The client -compares the SID for SAMBA\user and realizes it is -different from the one assigned to DOMAIN\user; hence, -<span class="errorname">access denied</span> message. -</p><p> -When the <a class="link" href="smb.conf.5.html#NTACLSUPPORT" target="_top">nt acl support</a> parameter is disabled, Samba will send -the Windows 200x client a response to the QuerySecurityDescriptor trans2 call, which causes the client -to set a default ACL for the profile. This default ACL includes: -</p><p><span class="emphasis"><em>DOMAIN\user <span class="quote">“<span class="quote">Full Control</span>”</span></em></span>></p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using Winbind to -create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" title="Windows NT 3.1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452108"></a>Windows NT 3.1</h2></div></div></div><p>If you have problems communicating across routers with Windows -NT 3.1 workstations, read <a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;Q103765" target="_top">this Microsoft Knowledge Base article:</a>. - -</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 43. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 45. Samba Performance Tuning</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html b/docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html deleted file mode 100644 index e0237f093b..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html +++ /dev/null @@ -1,385 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 26. System and Account Policies</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 26. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 26. System and Account Policies"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 26. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="PolicyMgmt.html#id422418">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id423619">Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id423630">Samba Editreg Toolset</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423706">Windows NT4/200x</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423743">Samba PDC</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id423806">System Startup and Logon Processing Overview</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id423947">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id423958">Policy Does Not Work</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id422407"></a> -This chapter summarizes the current state of knowledge derived from personal -practice and knowledge from Samba mailing list subscribers. Before reproduction -of posted information, every effort has been made to validate the information given. -Where additional information was uncovered through this validation, it is provided -also. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id422418"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id422425"></a> -<a class="indexterm" name="id422432"></a> -<a class="indexterm" name="id422439"></a> -When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement -Group Policies for users and groups. Then along came MS Windows NT4 and a few sites -started to adopt this capability. How do we know that? By the number of <span class="quote">“<span class="quote">boo-boos</span>”</span> -(or mistakes) administrators made and then requested help to resolve. -</p><p> -<a class="indexterm" name="id422455"></a> -<a class="indexterm" name="id422462"></a> -<a class="indexterm" name="id422471"></a> -<a class="indexterm" name="id422478"></a> -<a class="indexterm" name="id422484"></a> -By the time that MS Windows 2000 and Active Directory was released, administrators -got the message: Group Policies are a good thing! They can help reduce administrative -costs and actually make happier users. But adoption of the true -potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users -and machines were picked up on rather slowly. This was obvious from the Samba -mailing list back in 2000 and 2001 when there were few postings regarding GPOs and -how to replicate them in a Samba environment. -</p><p> -<a class="indexterm" name="id422501"></a> -Judging by the traffic volume since mid 2002, GPOs have become a standard part of -the deployment in many sites. This chapter reviews techniques and methods that can -be used to exploit opportunities for automation of control over user desktops and -network client workstations. -</p></div><div class="sect1" title="Creating and Managing System Policies"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id422512"></a>Creating and Managing System Policies</h2></div></div></div><p> -<a class="indexterm" name="id422520"></a> -<a class="indexterm" name="id422527"></a> -<a class="indexterm" name="id422534"></a> -<a class="indexterm" name="id422541"></a> -Under MS Windows platforms, particularly those following the release of MS Windows -NT4 and MS Windows 95, it is possible to create a type of file that would be placed -in the NETLOGON share of a domain controller. As the client logs onto the network, -this file is read and the contents initiate changes to the registry of the client -machine. This file allows changes to be made to those parts of the registry that -affect users, groups of users, or machines. -</p><p> -<a class="indexterm" name="id422555"></a> -<a class="indexterm" name="id422562"></a> -<a class="indexterm" name="id422568"></a> -For MS Windows 9x/Me, this file must be called <code class="filename">Config.POL</code> and may -be generated using a tool called <code class="filename">poledit.exe</code>, better known as the -Policy Editor. The policy editor was provided on the Windows 98 installation CD-ROM, but -disappeared again with the introduction of MS Windows Me. From -comments of MS Windows network administrators, it would appear that this tool became -a part of the MS Windows Me Resource Kit. -</p><p> -<a class="indexterm" name="id422594"></a> -MS Windows NT4 server products include the <span class="emphasis"><em>System Policy Editor</em></span> -under <span class="guimenu">Start -> Programs -> Administrative Tools</span>. -For MS Windows NT4 and later clients, this file must be called <code class="filename">NTConfig.POL</code>. -</p><p> -<a class="indexterm" name="id422620"></a> -New with the introduction of MS Windows 2000 was the Microsoft Management Console -or MMC. This tool is the new wave in the ever-changing landscape of Microsoft -methods for management of network access and security. Every new Microsoft product -or technology seems to make the old rules obsolete and introduces newer and more -complex tools and methods. To Microsoft's credit, the MMC does appear to -be a step forward, but improved functionality comes at a great price. -</p><p> -<a class="indexterm" name="id422634"></a> -<a class="indexterm" name="id422641"></a> -<a class="indexterm" name="id422648"></a> -<a class="indexterm" name="id422654"></a> -Before embarking on the configuration of network and system policies, it is highly -advisable to read the documentation available from Microsoft's Web site regarding -<a class="ulink" href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp" target="_top"> -Implementing Profiles and Policies in Windows NT 4.0</a>. -There are a large number of documents in addition to this old one that should also -be read and understood. Try searching on the Microsoft Web site for <span class="quote">“<span class="quote">Group Policies</span>”</span>. -</p><p> -What follows is a brief discussion with some helpful notes. The information provided -here is incomplete you are warned. -</p><div class="sect2" title="Windows 9x/ME Policies"><div class="titlepage"><div><div><h3 class="title"><a name="id422683"></a>Windows 9x/ME Policies</h3></div></div></div><p> -<a class="indexterm" name="id422691"></a> -<a class="indexterm" name="id422697"></a> - You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/Me. - It can be found on the original full-product Windows 98 installation CD-ROM under - <code class="filename">tools\reskit\netadmin\poledit</code>. Install this using the - Add/Remove Programs facility, and then click on <span class="guiicon">Have Disk</span>. - </p><p> -<a class="indexterm" name="id422721"></a> -<a class="indexterm" name="id422728"></a> - Use the Group Policy Editor to create a policy file that specifies the location of - user profiles and/or <code class="filename">My Documents</code>, and so on. Then save these - settings in a file called <code class="filename">Config.POL</code> that needs to be placed in the - root of the <em class="parameter"><code>[NETLOGON]</code></em> share. If Windows 98 is configured to log onto - the Samba domain, it will automatically read this file and update the Windows 9x/Me registry - of the machine as it logs on. - </p><p> - Further details are covered in the Windows 98 Resource Kit documentation. - </p><p> -<a class="indexterm" name="id422763"></a> - If you do not take the correct steps, then every so often Windows 9x/Me will check the - integrity of the registry and restore its settings from the backup - copy of the registry it stores on each Windows 9x/Me machine. So, you will - occasionally notice things changing back to the original settings. - </p><p> -<a class="indexterm" name="id422775"></a> -<a class="indexterm" name="id422782"></a> - Install the Group Policy handler for Windows 9x/Me to pick up Group Policies. Look on the - Windows 98 CD-ROM in <code class="filename">\tools\reskit\netadmin\poledit</code>. - Install Group Policies on a Windows 9x/Me client by double-clicking on - <code class="filename">grouppol.inf</code>. Log off and on again a couple of times and see - if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every - Windows 9x/Me machine that uses Group Policies. - </p></div><div class="sect2" title="Windows NT4-Style Policy Files"><div class="titlepage"><div><div><h3 class="title"><a name="id422806"></a>Windows NT4-Style Policy Files</h3></div></div></div><p> -<a class="indexterm" name="id422814"></a> -<a class="indexterm" name="id422821"></a> -<a class="indexterm" name="id422828"></a> -<a class="indexterm" name="id422835"></a> - To create or edit <code class="filename">ntconfig.pol</code>, you must use the NT Server - Policy Editor, <code class="literal">poledit.exe</code>, which is included with NT4 Server - but not with NT workstation. There is a Policy Editor on an NT4 - Workstation but it is not suitable for creating domain policies. - Furthermore, although the Windows 95 Policy Editor can be installed on an NT4 - workstation/server, it will not work with NT clients. However, the files from - the NT Server will run happily enough on an NT4 workstation. - </p><p> -<a class="indexterm" name="id422860"></a> -<a class="indexterm" name="id422867"></a> -<a class="indexterm" name="id422874"></a> -<a class="indexterm" name="id422881"></a> - You need <code class="filename">poledit.exe</code>, <code class="filename">common.adm</code>, and <code class="filename">winnt.adm</code>. - It is convenient to put the two <code class="filename">*.adm</code> files in the <code class="filename">c:\winnt\inf</code> - directory, which is where the binary will look for them unless told otherwise. This - directory is normally <span class="quote">“<span class="quote">hidden.</span>”</span> - </p><p> -<a class="indexterm" name="id422925"></a> -<a class="indexterm" name="id422932"></a> -<a class="indexterm" name="id422939"></a> -<a class="indexterm" name="id422945"></a> - The Windows NT Policy Editor is also included with the Service Pack 3 (and - later) for Windows NT 4.0. Extract the files using <code class="literal">servicepackname /x</code> - that's <code class="literal">Nt4sp6ai.exe /x</code> for Service Pack 6a. The Policy Editor, - <code class="literal">poledit.exe</code>, and the associated template files (*.adm) should - be extracted as well. It is also possible to download the policy template - files for Office97 and get a copy of the Policy Editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </p><div class="sect3" title="Registry Spoiling"><div class="titlepage"><div><div><h4 class="title"><a name="id422977"></a>Registry Spoiling</h4></div></div></div><p> -<a class="indexterm" name="id422985"></a> -<a class="indexterm" name="id422992"></a> - With NT4-style registry-based policy changes, a large number of settings are not - automatically reversed as the user logs off. The settings that were in the - <code class="filename">NTConfig.POL</code> file were applied to the client machine registry and apply to the - hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known - as tattooing. It can have serious consequences downstream, and the administrator must - be extremely careful not to lock out the ability to manage the machine at a later date. - </p></div></div><div class="sect2" title="MS Windows 200x/XP Professional Policies"><div class="titlepage"><div><div><h3 class="title"><a name="id423012"></a>MS Windows 200x/XP Professional Policies</h3></div></div></div><p> -<a class="indexterm" name="id423020"></a> - Windows NT4 system policies allow the setting of registry parameters specific to - users, groups, and computers (client workstations) that are members of the NT4-style - domain. Such policy files will work with MS Windows 200x/XP clients also. - </p><p> - New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers - a superset of capabilities compared with NT4-style policies. Obviously, the tool used - to create them is different, and the mechanism for implementing them is much improved. - </p><p> - <a class="indexterm" name="id423038"></a> -<a class="indexterm" name="id423045"></a> - The older NT4-style registry-based policies are known as <span class="emphasis"><em>Administrative Templates</em></span> - in MS Windows 2000/XP GPOs. The latter includes the ability to set various security - configurations, enforce Internet Explorer browser settings, change and redirect aspects of the - users desktop (including the location of <code class="filename">My Documents</code> files, as - well as intrinsics of where menu items will appear in the Start menu). An additional new - feature is the ability to make available particular software Windows applications to particular - users and/or groups. - </p><p> -<a class="indexterm" name="id423069"></a> -<a class="indexterm" name="id423076"></a> -<a class="indexterm" name="id423082"></a> - Remember, NT4 policy files are named <code class="filename">NTConfig.POL</code> and are stored in the root - of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password - and selects the domain name to which the logon will attempt to take place. During the logon process, - the client machine reads the <code class="filename">NTConfig.POL</code> file from the NETLOGON share on - the authenticating server and modifies the local registry values according to the settings in this file. - </p><p> -<a class="indexterm" name="id423108"></a> -<a class="indexterm" name="id423115"></a> -<a class="indexterm" name="id423121"></a> -<a class="indexterm" name="id423128"></a> -<a class="indexterm" name="id423135"></a> -<a class="indexterm" name="id423142"></a> -<a class="indexterm" name="id423151"></a> -<a class="indexterm" name="id423160"></a> - Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of - a Windows 200x policy file is stored in the Active Directory itself and the other part is stored - in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active - Directory domain controllers. The part that is stored in the Active Directory itself is called the - Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is - known as the Group Policy Template (GPT). - </p><p> -<a class="indexterm" name="id423175"></a> - With NT4 clients, the policy file is read and executed only as each user logs onto the network. - MS Windows 200x policies are much more complex GPOs are processed and applied at client machine - startup (machine specific part), and when the user logs onto the network, the user-specific part - is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject - to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows - the administrator to also set filters over the policy settings. No such equivalent capability - exists with NT4-style policy files. - </p><div class="sect3" title="Administration of Windows 200x/XP Policies"><div class="titlepage"><div><div><h4 class="title"><a name="id423192"></a>Administration of Windows 200x/XP Policies</h4></div></div></div><p> - <a class="indexterm" name="id423200"></a> - <a class="indexterm" name="id423205"></a> -<a class="indexterm" name="id423212"></a> -<a class="indexterm" name="id423219"></a> -<a class="indexterm" name="id423226"></a> - Instead of using the tool called <span class="application">the System Policy Editor</span>, commonly called Poledit (from the - executable name <code class="literal">poledit.exe</code>), <acronym class="acronym">GPOs</acronym> are created and managed using a - <span class="application">Microsoft Management Console</span> <acronym class="acronym">(MMC)</acronym> snap-in as follows:</p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Go to the Windows 200x/XP menu <span class="guimenu">Start->Programs->Administrative Tools</span> - and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span> - </p></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id423286"></a> - Select the domain or organizational unit (OU) that you wish to manage, then right-click - to open the context menu for that object, and select the <span class="guibutton">Properties</span>. - </p></li><li class="step" title="Step 3"><p> - Left-click on the <span class="guilabel">Group Policy</span> tab, then - left-click on the New tab. Type a name - for the new policy you will create. - </p></li><li class="step" title="Step 4"><p> - Left-click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO. - </p></li></ol></div><p> - All policy configuration options are controlled through the use of policy administrative - templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. - Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. - The latter introduces many new features as well as extended definition capabilities. It is - well beyond the scope of this documentation to explain how to program .adm files; for that, - refer to the Microsoft Windows Resource Kit for your particular - version of MS Windows. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id423344"></a> -<a class="indexterm" name="id423351"></a> -<a class="indexterm" name="id423358"></a> - The MS Windows 2000 Resource Kit contains a tool called <code class="literal">gpolmig.exe</code>. This tool can be used - to migrate an NT4 <code class="filename">NTConfig.POL</code> file into a Windows 200x style GPO. Be VERY careful how you - use this powerful tool. Please refer to the resource kit manuals for specific usage information. - </p></div></div><div class="sect3" title="Custom System Policy Templates"><div class="titlepage"><div><div><h4 class="title"><a name="id423382"></a>Custom System Policy Templates</h4></div></div></div><p> - Over the past year, there has been a bit of talk regarding the creation of customized - templates for the Windows Sytem Policy Editor. A recent announcement on the Samba mailing - list is worthy of mention. - </p><p> - Mike Petersen has announced the availability of a template file he has created. This custom System Policy - Editor Template will allow you to successfully control Microsoft Windows workstations from an SMB server, such - as Samba. This template has been tested on a few networks, although if you find any problems with any of these - policies, or have any ideas for additional policies, let me know at mailto:mgpeter@pcc-services.com. This - Template includes many policies for Windows XP to allow it to behave better in a professional environment. - </p><p> - For further information please see the <a class="ulink" href="http://www.pcc-services.com/custom_poledit.html" target="_top">Petersen</a> Computer Consulting web site. There is - a download link for the template file. - </p></div></div></div><div class="sect1" title="Managing Account/User Policies"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423414"></a>Managing Account/User Policies</h2></div></div></div><p> -<a class="indexterm" name="id423422"></a> -<a class="indexterm" name="id423429"></a> -<a class="indexterm" name="id423436"></a> -Policies can define a specific user's settings or the settings for a group of users. The resulting -policy file contains the registry settings for all users, groups, and computers that will be using -the policy file. Separate policy files for each user, group, or computer are not necessary. -</p><p> -<a class="indexterm" name="id423448"></a> -If you create a policy that will be automatically downloaded from validating domain controllers, -you should name the file <code class="filename">NTConfig.POL</code>. As system administrator, you have the option of renaming the -policy file and, by modifying the Windows NT-based workstation, directing the computer to update -the policy from a manual path. You can do this by either manually changing the registry or by using -the System Policy Editor. This can even be a local path such that each machine has its own policy file, -but if a change is necessary to all machines, it must be made individually to each workstation. -</p><p> -<a class="indexterm" name="id423469"></a> -<a class="indexterm" name="id423476"></a> -When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on -the authenticating domain controller for the presence of the <code class="filename">NTConfig.POL</code> file. If one exists, it is -downloaded, parsed, and then applied to the user's part of the registry. -</p><p> -<a class="indexterm" name="id423494"></a> -<a class="indexterm" name="id423501"></a> -<a class="indexterm" name="id423508"></a> -<a class="indexterm" name="id423514"></a> -MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally -acquire policy settings through GPOs that are defined and stored in Active Directory -itself. The key benefit of using AD GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect. -This has considerable advantage compared with the use of <code class="filename">NTConfig.POL</code> (NT4) style policy updates. -</p><p> -<a class="indexterm" name="id423537"></a> -<a class="indexterm" name="id423544"></a> -In addition to user access controls that may be imposed or applied via system and/or group policies -in a manner that works in conjunction with user profiles, the user management environment under -MS Windows NT4/200x/XP allows per-domain as well as per-user account restrictions to be applied. -Common restrictions that are frequently used include: -</p><p> -<a class="indexterm" name="id423557"></a> -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Logon hours</p></li><li class="listitem"><p>Password aging</p></li><li class="listitem"><p>Permitted logon from certain machines only</p></li><li class="listitem"><p>Account type (local or global)</p></li><li class="listitem"><p>User rights</p></li></ul></div><p> -</p><p> -<a class="indexterm" name="id423593"></a> -<a class="indexterm" name="id423600"></a> -Samba-3.0.20 does not yet implement all account controls that are common to MS Windows NT4/200x/XP. -While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password -expiry is functional today. Most of the remaining controls at this time have only stub routines -that may eventually be completed to provide actual control. Do not be misled by the fact that a -parameter can be set using the NT4 Domain User Manager or in the <code class="filename">NTConfig.POL</code>. -</p></div><div class="sect1" title="Management Tools"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423619"></a>Management Tools</h2></div></div></div><p> -Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools. -The following sections describe a few key tools that will help you to create a low-maintenance user -environment. -</p><div class="sect2" title="Samba Editreg Toolset"><div class="titlepage"><div><div><h3 class="title"><a name="id423630"></a>Samba Editreg Toolset</h3></div></div></div><p> - <a class="indexterm" name="id423637"></a> - <a class="indexterm" name="id423644"></a> - <a class="indexterm" name="id423651"></a> - A new tool called <code class="literal">editreg</code> is under development. This tool can be used - to edit registry files (called <code class="filename">NTUser.DAT</code>) that are stored in user - and group profiles. <code class="filename">NTConfig.POL</code> files have the same structure as the - <code class="filename">NTUser.DAT</code> file and can be edited using this tool. <code class="literal">editreg</code> - is being built with the intent to enable <code class="filename">NTConfig.POL</code> files to be saved in text format and to - permit the building of new <code class="filename">NTConfig.POL</code> files with extended capabilities. It is proving difficult - to realize this capability, so do not be surprised if this feature does not materialize. Formal - capabilities will be announced at the time that this tool is released for production use. - </p></div><div class="sect2" title="Windows NT4/200x"><div class="titlepage"><div><div><h3 class="title"><a name="id423706"></a>Windows NT4/200x</h3></div></div></div><p> -<a class="indexterm" name="id423714"></a> -<a class="indexterm" name="id423721"></a> -<a class="indexterm" name="id423727"></a> - The tools that may be used to configure these types of controls from the MS Windows environment are - the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe). - Under MS Windows 200x/XP, this is done using the MMC with appropriate - <span class="quote">“<span class="quote">snap-ins,</span>”</span> the registry editor, and potentially also the NT4 System and Group Policy Editor. - </p></div><div class="sect2" title="Samba PDC"><div class="titlepage"><div><div><h3 class="title"><a name="id423743"></a>Samba PDC</h3></div></div></div><p> -<a class="indexterm" name="id423751"></a> -<a class="indexterm" name="id423757"></a> -<a class="indexterm" name="id423764"></a> -<a class="indexterm" name="id423771"></a> - With a Samba domain controller, the new tools for managing user account and policy information include: - <code class="literal">smbpasswd</code>, <code class="literal">pdbedit</code>, <code class="literal">net</code>, and <code class="literal">rpcclient</code>. - The administrator should read the man pages for these tools and become familiar with their use. - </p></div></div><div class="sect1" title="System Startup and Logon Processing Overview"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423806"></a>System Startup and Logon Processing Overview</h2></div></div></div><p> -The following attempts to document the order of processing the system and user policies following a system -reboot and as part of the user logon: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> -<a class="indexterm" name="id423826"></a> -<a class="indexterm" name="id423835"></a> - Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming - convention provider (MUP) start. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id423850"></a> -<a class="indexterm" name="id423857"></a> - Where Active Directory is involved, an ordered list of GPOs is downloaded - and applied. The list may include GPOs that: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Apply to the location of machines in a directory.</p></li><li class="listitem"><p>Apply only when settings have changed.</p></li><li class="listitem"><p>Depend on configuration of the scope of applicability: local, - site, domain, organizational unit, and so on.</p></li></ul></div><p> - No desktop user interface is presented until the above have been processed. - </p></li><li class="listitem"><p> - Execution of startup scripts (hidden and synchronous by default). - </p></li><li class="listitem"><p> - A keyboard action to effect start of logon (Ctrl-Alt-Del). - </p></li><li class="listitem"><p> - User credentials are validated, user profile is loaded (depends on policy settings). - </p></li><li class="listitem"><p> - An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of: - -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Is the user a domain member, thus subject to particular policies?</p></li><li class="listitem"><p>Loopback enablement, and the state of the loopback policy (merge or replace).</p></li><li class="listitem"><p>Location of the Active Directory itself.</p></li><li class="listitem"><p>Has the list of GPOs changed? No processing is needed if not changed.</p></li></ul></div><p> - </p></li><li class="listitem"><p> - User policies are applied from Active Directory. Note: There are several types. - </p></li><li class="listitem"><p> - Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs - (hidden and executed synchronously). NT4-style logon scripts are then run in a normal - window. - </p></li><li class="listitem"><p> - The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4 - domain), machine (system) policies are applied at startup; user policies are applied at logon. - </p></li></ol></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id423947"></a>Common Errors</h2></div></div></div><p> -Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following -collection demonstrates only basic issues. -</p><div class="sect2" title="Policy Does Not Work"><div class="titlepage"><div><div><h3 class="title"><a name="id423958"></a>Policy Does Not Work</h3></div></div></div><p> -<span class="quote">“<span class="quote">We have created the <code class="filename">Config.POL</code> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share. -It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not -work any longer since we upgraded to Win XP Pro. Any hints?</span>”</span> -</p><p> -Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to -use the NT4 Group Policy Editor to create a file called <code class="filename">NTConfig.POL</code> so it is in the -correct format for your MS Windows XP Pro clients. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 25. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 27. Desktop Profile Management</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/Portability.html b/docs/htmldocs/Samba3-HOWTO/Portability.html deleted file mode 100644 index eff8eecd97..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/Portability.html +++ /dev/null @@ -1,153 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 43. Portability</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="compiling.html" title="Chapter 42. How to Compile Samba"><link rel="next" href="Other-Clients.html" title="Chapter 44. Samba and Other CIFS Clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 43. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 43. Portability"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 43. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="Portability.html#id450764">HPUX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id450860">SCO UNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id450891">DNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451021">Red Hat Linux</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451060">AIX: Sequential Read Ahead</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451114">Solaris</a></span></dt><dd><dl><dt><span class="sect2"><a href="Portability.html#id451119">Locking Improvements</a></span></dt><dt><span class="sect2"><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id450749"></a> -<a class="indexterm" name="id450755"></a> -Samba works on a wide range of platforms, but the interface all the -platforms provide is not always compatible. This chapter contains -platform-specific information about compiling and using Samba.</p><div class="sect1" title="HPUX"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id450764"></a>HPUX</h2></div></div></div><p> -<a class="indexterm" name="id450772"></a> -<a class="indexterm" name="id450779"></a> -Hewlett-Packard's implementation of supplementary groups is nonstandard (for -historical reasons). There are two group files, <code class="filename">/etc/group</code> and -<code class="filename">/etc/logingroup</code>; the system maps UIDs to numbers using the former, but -initgroups() reads the latter. Most system admins who know the ropes -symlink <code class="filename">/etc/group</code> to <code class="filename">/etc/logingroup</code> -(hard-link does not work for reasons too obtuse to go into here). initgroups() will complain if one of the -groups you're in, in <code class="filename">/etc/logingroup</code>, has what it considers to be an invalid -ID, which means outside the range <code class="constant">[0..UID_MAX]</code>, where <code class="constant">UID_MAX</code> is -60000 currently on HP-UX. This precludes -2 and 65534, the usual <code class="constant">nobody</code> -GIDs. -</p><p> -If you encounter this problem, make sure the programs that are failing -to initgroups() are run as users, not in any groups with GIDs outside the -allowed range. -</p><p> -This is documented in the HP manual pages under setgroups(2) and passwd(4). -</p><p> -<a class="indexterm" name="id450843"></a> -<a class="indexterm" name="id450849"></a> -On HP-UX you must use gcc or the HP ANSI compiler. The free compiler -that comes with HP-UX is not ANSI compliant and cannot compile Samba. -</p></div><div class="sect1" title="SCO UNIX"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id450860"></a>SCO UNIX</h2></div></div></div><p> -If you run an old version of SCO UNIX, you may need to get important -TCP/IP patches for Samba to work correctly. Without the patch, you may -encounter corrupt data transfers using Samba. -</p><p> -The patch you need is UOD385 Connection Drivers SLS. It is available from -SCO <a class="ulink" href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS, -files uod385a.Z and uod385a.ltr.Z). -</p><p> -The information provided here refers to an old version of SCO UNIX. If you require -binaries for more recent SCO UNIX products, please contact SCO to obtain packages that are -ready to install. You should also verify with SCO that your platform is up to date for the -binary packages you will install. This is important if you wish to avoid data corruption -problems with your installation. To build Samba for SCO UNIX products may -require significant patching of Samba source code. It is much easier to obtain binary -packages directly from SCO. -</p></div><div class="sect1" title="DNIX"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id450891"></a>DNIX</h2></div></div></div><p> -DNIX has a problem with seteuid() and setegid(). These routines are -needed for Samba to work correctly, but they were left out of the DNIX -C library for some reason. -</p><p> -For this reason Samba by default defines the macro NO_EID in the DNIX -section of includes.h. This works around the problem in a limited way, -but it is far from ideal, and some things still will not work right. -</p><p> -To fix the problem properly, you need to assemble the following two -functions and then either add them to your C library or link them into -Samba. Put the following in the file <code class="filename">setegid.s</code>: -</p><pre class="programlisting"> - .globl _setegid -_setegid: - moveq #47,d0 - movl #100,a0 - moveq #1,d1 - movl 4(sp),a1 - trap #9 - bccs 1$ - jmp cerror -1$: - clrl d0 - rts -</pre><p> -Put this in the file <code class="filename">seteuid.s</code>: -</p><pre class="programlisting"> - .globl _seteuid -_seteuid: - moveq #47,d0 - movl #100,a0 - moveq #0,d1 - movl 4(sp),a1 - trap #9 - bccs 1$ - jmp cerror -1$: - clrl d0 - rts -</pre><p> -After creating the files, you then assemble them using -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>as seteuid.s</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>as setegid.s</code></strong> -</pre><p> -which should produce the files <code class="filename">seteuid.o</code> and -<code class="filename">setegid.o</code>. -</p><p> -Next you need to add these to the LIBSM line in the DNIX section of -the Samba Makefile. Your LIBSM line will look something like this: -</p><pre class="programlisting"> -LIBSM = setegid.o seteuid.o -ln -</pre><p> -You should then remove the line: -</p><pre class="programlisting"> -#define NO_EID -</pre><p>from the DNIX section of <code class="filename">includes.h</code>.</p></div><div class="sect1" title="Red Hat Linux"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451021"></a>Red Hat Linux</h2></div></div></div><p> -By default during installation, some versions of Red Hat Linux add an -entry to <code class="filename">/etc/hosts</code> as follows: -</p><pre class="programlisting"> -127.0.0.1 loopback "hostname"."domainname" -</pre><p> -</p><p> -<a class="indexterm" name="id451044"></a> -This causes Samba to loop back onto the loopback interface. -The result is that Samba fails to communicate correctly with -the world and therefore may fail to correctly negotiate who -is the master browse list holder and who is the master browser. -</p><p> -Corrective action: Delete the entry after the word "loopback" -in the line starting 127.0.0.1. -</p></div><div class="sect1" title="AIX: Sequential Read Ahead"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451060"></a>AIX: Sequential Read Ahead</h2></div></div></div><p> -Disabling sequential read ahead can improve Samba performance significantly -when there is a relatively high level of multiprogramming (many smbd processes -or mixed with another workload), not an abundance of physical memory or slower -disk technology. These can cause AIX to have a higher WAIT values. Disabling -sequential read-ahead can also have an adverse affect on other workloads in the -system so you will need to evaluate other applications for impact. -</p><p> -It is recommended to use the defaults provided by IBM, but if you experience a -high amount of wait time, try disabling read-ahead with the following commands: -</p><p> -For AIX 5.1 and earlier: <strong class="userinput"><code>vmtune -r 0</code></strong> -</p><p> -For AIX 5.2 and later jfs filesystems: <strong class="userinput"><code>ioo -o minpgahead=0</code></strong> -</p><p> -For AIX 5.2 and later jfs2 filesystems: <strong class="userinput"><code>ioo -o j2_minPageReadAhead=0</code></strong> -</p><p> -If you have a mix of jfs and jfs2 filesystems on the same host, simply use both -ioo commands. -</p></div><div class="sect1" title="Solaris"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id451114"></a>Solaris</h2></div></div></div><div class="sect2" title="Locking Improvements"><div class="titlepage"><div><div><h3 class="title"><a name="id451119"></a>Locking Improvements</h3></div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl -when running Samba on Solaris. The built-in file-locking mechanism was -not scalable. Performance would degrade to the point where processes would -get into loops of trying to lock a file. It would try a lock, then fail, -then try again. The lock attempt was failing before the grant was -occurring. The visible manifestation of this was a handful of -processes stealing all of the CPU, and when they were trussed, they would -be stuck in F_SETLKW64 loops. -</p><p> -Please check with Sun support for current patches needed to fix this bug. -The patch revision for 2.6 is 105181-34, for 8 is 108528-19, and for 9 is 112233-04. -After the installation of these patches, it is recommended to reconfigure -and rebuild Samba. -</p><p>Thanks to Joe Meslovich for reporting this.</p></div><div class="sect2" title="Winbind on Solaris 9"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div></div><p> -Nsswitch on Solaris 9 refuses to use the Winbind NSS module. This behavior -is fixed by Sun in patch <a class="ulink" href="http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collections&max=50&language=en&queryKey5=112960;rev=14&toDocument=yes" target="_top">112960-14</a>. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 42. How to Compile Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 44. Samba and Other CIFS Clients</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html b/docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html deleted file mode 100644 index 7a91a2dee5..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html +++ /dev/null @@ -1,644 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 27. Desktop Profile Management</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 27. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 27. Desktop Profile Management"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 27. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ProfileMgmt.html#id424037">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id424080">Roaming Profiles</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id424128">Samba Configuration for Profile Handling</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id424698">Windows Client Profile Configuration Information</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id425966">User Profile Hive Cleanup Service</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id425996">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426086">Profile Migration from Windows NT4/200x Server to Samba</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id426418">Mandatory Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id426613">Default Profile for Windows Users</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id426639">MS Windows 9x/Me</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id427765">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id427775">Configuring Roaming Profiles for a Few Users or Groups</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427829">Cannot Use Roaming Profiles</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427978">Changing the Default Profile</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428131">Debugging Roaming Profiles and NT4-style Domain Policies</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id424037"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id424045"></a> -Roaming profiles are feared by some, hated by a few, loved by many, and a godsend for -some administrators. -</p><p> -<a class="indexterm" name="id424056"></a> -Roaming profiles allow an administrator to make available a consistent user desktop -as the user moves from one machine to another. This chapter provides much information -regarding how to configure and manage roaming profiles. -</p><p> -<a class="indexterm" name="id424068"></a> -While roaming profiles might sound like nirvana to some, they are a real and tangible -problem to others. In particular, users of mobile computing tools, where often there may not -be a sustained network connection, are often better served by purely local profiles. -This chapter provides information to help the Samba administrator deal with those -situations. -</p></div><div class="sect1" title="Roaming Profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id424080"></a>Roaming Profiles</h2></div></div></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x. -</p></div><p> -Before discussing how to configure roaming profiles, it is useful to see how -Windows 9x/Me and Windows NT4/200x clients implement these features. -</p><p> -<a class="indexterm" name="id424099"></a> -Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's -profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Windows 9x/Me -profiles are restricted to being stored in the user's home directory. -</p><p> -<a class="indexterm" name="id424112"></a> -<a class="indexterm" name="id424119"></a> -Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields -including a separate field for the location of the user's profiles. -</p><div class="sect2" title="Samba Configuration for Profile Handling"><div class="titlepage"><div><div><h3 class="title"><a name="id424128"></a>Samba Configuration for Profile Handling</h3></div></div></div><p> -This section documents how to configure Samba for MS Windows client profile support. -</p><div class="sect3" title="NT4/200x User Profiles"><div class="titlepage"><div><div><h4 class="title"><a name="id424138"></a>NT4/200x User Profiles</h4></div></div></div><p> -For example, to support Windows NT4/200x clients, set the following in the [global] section of the <code class="filename">smb.conf</code> file: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id424159"></a><em class="parameter"><code>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</code></em></td></tr></table><p> -This is typically implemented like: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id424179"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr></table><p> -where <span class="quote">“<span class="quote">%L</span>”</span> translates to the name of the Samba server and <span class="quote">“<span class="quote">%U</span>”</span> translates to the username. -</p><p> -The default for this option is <code class="filename">\\%N\%U\profile</code>, namely, <code class="filename">\\sambaserver\username\profile</code>. -The <code class="filename">\\%N\%U</code> service is created automatically by the [homes] service. If you are using -a Samba server for the profiles, you must make the share that is specified in the logon path -browseable. Please refer to the man page for <code class="filename">smb.conf</code> regarding the different -semantics of <span class="quote">“<span class="quote">%L</span>”</span> and <span class="quote">“<span class="quote">%N</span>”</span>, as well as <span class="quote">“<span class="quote">%U</span>”</span> and <span class="quote">“<span class="quote">%u</span>”</span>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id424246"></a> -<a class="indexterm" name="id424253"></a> -MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended -to not use the <em class="parameter"><code>homes</code></em> metaservice name as part of the profile share path. -</p></div></div><div class="sect3" title="Windows 9x/Me User Profiles"><div class="titlepage"><div><div><h4 class="title"><a name="id424269"></a>Windows 9x/Me User Profiles</h4></div></div></div><p> -<a class="indexterm" name="id424277"></a> -<a class="indexterm" name="id424284"></a> -To support Windows 9x/Me clients, you must use the <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home</a> -parameter. Samba has been fixed so <strong class="userinput"><code>net use /home</code></strong> now works as well and it, too, relies -on the <em class="parameter"><code>logon home</code></em> parameter. -</p><p> -<a class="indexterm" name="id424318"></a> -<a class="indexterm" name="id424325"></a> -<a class="indexterm" name="id424332"></a> -By using the <em class="parameter"><code>logon home</code></em> parameter, you are restricted to putting Windows 9x/Me profiles -in the user's home directory. But wait! There is a trick you can use. If you set the following in the -<em class="parameter"><code>[global]</code></em> section of your <code class="filename">smb.conf</code> file: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id424364"></a><em class="parameter"><code>logon home = \\%L\%U\.profiles</code></em></td></tr></table><p> -then your Windows 9x/Me clients will dutifully put their clients in a subdirectory -of your home directory called <code class="filename">.profiles</code> (making them hidden). -</p><p> -<a class="indexterm" name="id424385"></a> -Not only that, but <strong class="userinput"><code>net use /home</code></strong> will also work because of a feature in -Windows 9x/Me. It removes any directory stuff off the end of the home directory area -and only uses the server and share portion. That is, it looks like you -specified <code class="filename">\\%L\%U</code> for <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home</a>. -</p></div><div class="sect3" title="Mixed Windows Windows 9x/Me and NT4/200x User Profiles"><div class="titlepage"><div><div><h4 class="title"><a name="id424419"></a>Mixed Windows Windows 9x/Me and NT4/200x User Profiles</h4></div></div></div><p> -You can support profiles for Windows 9x and Windows NT clients by setting both the -<a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home</a> and <a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path</a> parameters. For example, -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id424456"></a><em class="parameter"><code>logon home = \\%L\%U\.profiles</code></em></td></tr><tr><td><a class="indexterm" name="id424468"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr></table><p> -<a class="indexterm" name="id424481"></a> -Windows 9x/Me and NT4 and later profiles should not be stored in the same location because -Windows NT4 and later will experience problems with mixed profile environments. -</p></div><div class="sect3" title="Disabling Roaming Profile Support"><div class="titlepage"><div><div><h4 class="title"><a name="id424492"></a>Disabling Roaming Profile Support</h4></div></div></div><p> -<a class="indexterm" name="id424500"></a> -The question often asked is, <span class="quote">“<span class="quote">How may I enforce use of local profiles?</span>”</span> or -<span class="quote">“<span class="quote">How do I disable roaming profiles?</span>”</span> -</p><p> -<a class="indexterm" name="id424518"></a> -There are three ways of doing this: -</p><a class="indexterm" name="id424526"></a><div class="variablelist"><dl><dt><span class="term">In <code class="filename">smb.conf</code></span></dt><dd><p> - Affect the following settings and ALL clients will be forced to use a local profile: - <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home = </a> and <a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path = </a> - </p><p> - The arguments to these parameters must be left blank. It is necessary to include the <code class="constant">=</code> sign - to specifically assign the empty value. - </p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p> -<a class="indexterm" name="id424592"></a> -<a class="indexterm" name="id424598"></a> - Use the Microsoft Management Console (MMC) <code class="literal">gpedit.msc</code> to instruct your MS Windows XP - machine to use only a local profile. This, of course, modifies registry settings. The full - path to the option is: -</p><pre class="screen"> -Local Computer Policy\ - Computer Configuration\ - Administrative Templates\ - System\ - User Profiles\ - -Disable: Only Allow Local User Profiles -Disable: Prevent Roaming Profile Change from Propagating to the Server -</pre><p> - </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>From the start menu right-click on the <span class="guiicon">My Computer</span> icon, - select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span> - tab, select the profile you wish to change from - <span class="guimenu">Roaming</span> type to <span class="guimenu">Local</span>, and click on - <span class="guibutton">Change Type</span>. - </p></dd></dl></div><p> -Consult the MS Windows registry guide for your particular MS Windows version for more information -about which registry keys to change to enforce use of only local user profiles. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id424686"></a> -The specifics of how to convert a local profile to a roaming profile, or a roaming profile -to a local one, vary according to the version of MS Windows you are running. Consult the Microsoft MS -Windows Resource Kit for your version of Windows for specific information. -</p></div></div></div><div class="sect2" title="Windows Client Profile Configuration Information"><div class="titlepage"><div><div><h3 class="title"><a name="id424698"></a>Windows Client Profile Configuration Information</h3></div></div></div><div class="sect3" title="Windows 9x/Me Profile Setup"><div class="titlepage"><div><div><h4 class="title"><a name="id424704"></a>Windows 9x/Me Profile Setup</h4></div></div></div><p> -When a user first logs in on Windows 9x, the file user.DAT is created, as are folders <code class="filename">Start -Menu</code>, <code class="filename">Desktop</code>, <code class="filename">Programs</code>, and -<code class="filename">Nethood</code>. These directories and their contents will be merged with the local versions -stored in <code class="filename">c:\windows\profiles\username</code> on subsequent logins, taking the most recent from -each. You will need to use the <em class="parameter"><code>[global]</code></em> options <a class="link" href="smb.conf.5.html#PRESERVECASE" target="_top">preserve case = yes</a>, <a class="link" href="smb.conf.5.html#SHORTPRESERVECASE" target="_top">short preserve case = yes</a>, and <a class="link" href="smb.conf.5.html#CASESENSITIVE" target="_top">case sensitive = no</a> in order to maintain capital letters in shortcuts in any of the -profile folders. -</p><p> -<a class="indexterm" name="id424786"></a> -<a class="indexterm" name="id424792"></a> -The <code class="filename">user.DAT</code> file contains all the user's preferences. If you wish to enforce a set of preferences, -rename their <code class="filename">user.DAT</code> file to <code class="filename">user.MAN</code>, and deny them write access to this file. -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> -> - <span class="guimenuitem">Passwords</span> and select the <span class="guilabel">User Profiles</span> tab. - Select the required level of roaming preferences. Press <span class="guibutton">OK</span>, but do not - allow the computer to reboot. - </p></li><li class="listitem"><p> - On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> -> - <span class="guimenuitem">Network</span> -> <span class="guimenuitem">Client for Microsoft Networks</span> - -> <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to NT Domain</span>. Then, - ensure that the Primary Logon is <span class="guilabel">Client for Microsoft Networks</span>. Press - <span class="guibutton">OK</span>, and this time allow the computer to reboot. - </p></li></ol></div><p> -<a class="indexterm" name="id424910"></a> -<a class="indexterm" name="id424916"></a> -<a class="indexterm" name="id424923"></a> -<a class="indexterm" name="id424930"></a> -Under Windows 9x/Me, profiles are downloaded from the Primary Logon. If you have the Primary Logon -as <span class="quote">“<span class="quote">Client for Novell Networks</span>”</span>, then the profiles and logon script will be downloaded from -your Novell server. If you have the Primary Logon as <span class="quote">“<span class="quote">Windows Logon</span>”</span>, then the profiles will -be loaded from the local machine a bit against the concept of roaming profiles, it would seem! -</p><p> -<a class="indexterm" name="id424954"></a> -You will now find that the Microsoft Networks Login box contains <code class="constant">[user, password, domain]</code> instead -of just <code class="constant">[user, password]</code>. Type in the Samba server's domain name (or any other domain known to exist, -but bear in mind that the user will be authenticated against this domain and profiles downloaded from it -if that domain logon server supports it), user name and user's password. -</p><p> -Once the user has been successfully validated, the Windows 9x/Me machine informs you that -<code class="computeroutput">The user has not logged on before</code> and asks <code class="computeroutput">Do you -wish to save the user's preferences?</code> Select <span class="guibutton">Yes</span>. -</p><p> -Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the -contents of the directory specified in the <a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path</a> on -the Samba server and verify that the <code class="filename">Desktop</code>, <code class="filename">Start Menu</code>, -<code class="filename">Programs</code>, and <code class="filename">Nethood</code> folders have been created. -</p><p> -<a class="indexterm" name="id425035"></a> -<a class="indexterm" name="id425042"></a> -<a class="indexterm" name="id425048"></a> -These folders will be cached locally on the client and updated when the user logs off (if -you haven't made them read-only by then). You will find that if the user creates further folders or -shortcuts, the client will merge the profile contents downloaded with the contents of the profile -directory already on the local client, taking the newest folders and shortcut from each set. -</p><p> -<a class="indexterm" name="id425062"></a> -<a class="indexterm" name="id425068"></a> -<a class="indexterm" name="id425075"></a> -<a class="indexterm" name="id425082"></a> -If you have made the folders/files read-only on the Samba server, then you will get errors from -the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile. -Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions -and ownership rights on the profile directory contents, on the Samba server. -</p><p> -<a class="indexterm" name="id425095"></a> -<a class="indexterm" name="id425102"></a> -<a class="indexterm" name="id425109"></a> -<a class="indexterm" name="id425116"></a> -<a class="indexterm" name="id425123"></a> -If you have problems creating user profiles, you can reset the user's local desktop cache, as shown below. -When this user next logs in, the user will be told that he/she is logging in <span class="quote">“<span class="quote">for the first -time</span>”</span>. -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - Instead of logging in under the [user, password, domain] dialog, press <span class="guibutton">escape</span>. - </p></li><li class="listitem"><p> - Run the <code class="literal">regedit.exe</code> program, and look in: - </p><p> - <code class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</code> - </p><p> - You will find an entry for each user of ProfilePath. Note the contents of this key - (likely to be <code class="filename">c:\windows\profiles\username</code>), then delete the key - <em class="parameter"><code>ProfilePath</code></em> for the required user. - </p></li><li class="listitem"><p> - Exit the registry editor. - </p></li><li class="listitem"><p> - Search for the user's .PWL password-caching file in the <code class="filename">c:\windows</code> directory, and delete it. - </p></li><li class="listitem"><p> - Log off the Windows 9x/Me client. - </p></li><li class="listitem"><p> - Check the contents of the profile path (see <a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path</a> - described above) and delete the <code class="filename">user.DAT</code> or <code class="filename">user.MAN</code> - file for the user, making a backup if required. - </p></li></ol></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -<a class="indexterm" name="id425246"></a> -Before deleting the contents of the directory listed in the <em class="parameter"><code>ProfilePath</code></em> -(this is likely to be <code class="filename">c:\windows\profiles\username)</code>, ask whether the owner has -any important files stored on his or her desktop or start menu. Delete the contents of the -directory <em class="parameter"><code>ProfilePath</code></em> (making a backup if any of the files are needed). -</p><p> -This will have the effect of removing the local (read-only hidden system file) <code class="filename">user.DAT</code> -in their profile directory, as well as the local <span class="quote">“<span class="quote">desktop,</span>”</span> <span class="quote">“<span class="quote">nethood,</span>”</span> -<span class="quote">“<span class="quote">start menu,</span>”</span> and <span class="quote">“<span class="quote">programs</span>”</span> folders. -</p></div><p> -<a class="indexterm" name="id425300"></a> -<a class="indexterm" name="id425306"></a> -<a class="indexterm" name="id425313"></a> -<a class="indexterm" name="id425320"></a> -If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet -sniffer program such as ethereal or <code class="literal">netmon.exe</code>, and look for error messages. -</p><p> -<a class="indexterm" name="id425337"></a> -<a class="indexterm" name="id425344"></a> -If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or -netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces -provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace. -</p></div><div class="sect3" title="Windows NT4 Workstation"><div class="titlepage"><div><div><h4 class="title"><a name="id425356"></a>Windows NT4 Workstation</h4></div></div></div><p> -When a user first logs in to a Windows NT workstation, the profile NTuser.DAT is created. The profile -location can be now specified through the <a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path</a> parameter. -</p><p> -There is a parameter that is now available for use with NT Profiles: <a class="link" href="smb.conf.5.html#LOGONDRIVE" target="_top">logon drive</a>. -This should be set to <code class="filename">H:</code> or any other drive, and should be used in conjunction with -the new <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home</a> parameter. -</p><p> -<a class="indexterm" name="id425412"></a> -<a class="indexterm" name="id425419"></a> -The entry for the NT4 profile is a directory, not a file. The NT help on profiles mentions that a -directory is also created with a .PDS extension. The user, while logging in, must have write permission -to create the full profile path (and the folder with the .PDS extension for those situations where it -might be created). -</p><p> -<a class="indexterm" name="id425432"></a> -In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates -<code class="filename">Application Data</code> and others, as well as <code class="filename">Desktop</code>, -<code class="filename">Nethood</code>, <code class="filename">Start Menu,</code> and <code class="filename">Programs</code>. -The profile itself is stored in a file <code class="filename">NTuser.DAT</code>. Nothing appears to be stored -in the .PDS directory, and its purpose is currently unknown. -</p><p> -<a class="indexterm" name="id425479"></a> -<a class="indexterm" name="id425486"></a> -You can use the <span class="application">System Control Panel</span> to copy a local profile onto -a Samba server (see NT help on profiles; it is also capable of firing up the correct location in the -<span class="application">System Control Panel</span> for you). The NT help file also mentions that renaming -<code class="filename">NTuser.DAT</code> to <code class="filename">NTuser.MAN</code> turns a profile into a mandatory one. -</p><p> -The case of the profile is significant. The file must be called <code class="filename">NTuser.DAT</code> -or, for a mandatory profile, <code class="filename">NTuser.MAN</code>. -</p></div><div class="sect3" title="Windows 2000/XP Professional"><div class="titlepage"><div><div><h4 class="title"><a name="id425536"></a>Windows 2000/XP Professional</h4></div></div></div><p> -You must first convert the profile from a local profile to a domain profile on the MS Windows -workstation as follows: </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> Log on as the <span class="emphasis"><em>local</em></span> workstation administrator. </p></li><li class="step" title="Step 2"><p> Right-click on the <span class="guiicon">My Computer</span> icon, and select - <span class="guimenuitem">Properties</span>.</p></li><li class="step" title="Step 3"><p> Click on the <span class="guilabel">User Profiles</span> tab.</p></li><li class="step" title="Step 4"><p> Select the profile you wish to convert (click it once).</p></li><li class="step" title="Step 5"><p> Click on the <span class="guibutton">Copy To</span> button.</p></li><li class="step" title="Step 6"><p> In the <span class="guilabel">Permitted to use</span> box, click on the - <span class="guibutton">Change</span> button. </p></li><li class="step" title="Step 7"><p> Click on the <span class="guilabel">Look in</span> area that lists the machine name. When you click here, it will - open up a selection box. Click on the domain to which the profile must be accessible. </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. - For example, connect as <em class="replaceable"><code>DOMAIN</code></em>\root, password: - <em class="replaceable"><code>mypassword</code></em>.</p></div></li><li class="step" title="Step 8"><p> To make the profile capable of being used by anyone, select <span class="quote">“<span class="quote">Everyone</span>”</span>. </p></li><li class="step" title="Step 9"><p> Click on <span class="guibutton">OK</span> and the Selection box will close. </p></li><li class="step" title="Step 10"><p> Now click on <span class="guibutton">OK</span> to create the profile in the path - you nominated. </p></li></ol></div><p> -Done. You now have a profile that can be edited using the Samba <code class="literal">profiles</code> tool. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail -data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable. -</p></div><div class="sect4" title="Windows XP Service Pack 1"><div class="titlepage"><div><div><h5 class="title"><a name="id425709"></a>Windows XP Service Pack 1</h5></div></div></div><p> - There is a security check new to Windows XP (or maybe only Windows XP service pack 1). - It can be disabled via a group policy in the Active Directory. The policy is called: -</p><pre class="screen"> -Computer Configuration\Administrative Templates\System\User Profiles\ - Do not check for user ownership of Roaming Profile Folders -</pre><p> - </p><p> - This should be set to <code class="constant">Enabled</code>. - </p><p> - Does the new version of Samba have an Active Directory analogue? If so, then you may be able to set the policy through this. - </p><p>If you cannot set group policies in Samba, then you may be able to set the policy locally on - each machine. If you want to try this, then do the following: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>On the XP workstation, log in with an administrative account.</p></li><li class="step" title="Step 2"><p>Click on <span class="guimenu">Start</span> -> <span class="guimenuitem">Run</span>.</p></li><li class="step" title="Step 3"><p>Type <code class="literal">mmc</code>.</p></li><li class="step" title="Step 4"><p>Click on <span class="guibutton">OK</span>.</p></li><li class="step" title="Step 5"><p>A Microsoft Management Console should appear.</p></li><li class="step" title="Step 6"><p>Click on <span class="guimenu">File</span> -> <span class="guimenuitem">Add/Remove Snap-in</span> -> <span class="guimenuitem">Add</span>.</p></li><li class="step" title="Step 7"><p>Double-click on <span class="guiicon">Group Policy</span>.</p></li><li class="step" title="Step 8"><p>Click on <span class="guibutton">Finish</span> -> <span class="guibutton">Close</span>.</p></li><li class="step" title="Step 9"><p>Click on <span class="guibutton">OK</span>.</p></li><li class="step" title="Step 10"><p>In the <span class="quote">“<span class="quote">Console Root</span>”</span> window expand <span class="guiicon">Local Computer Policy</span> -> - <span class="guiicon">Computer Configuration</span> -> <span class="guiicon">Administrative Templates</span> -> - <span class="guiicon">System</span> -> <span class="guiicon">User Profiles</span>.</p></li><li class="step" title="Step 11"><p>Double-click on <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span>.</p></li><li class="step" title="Step 12"><p>Select <span class="guilabel">Enabled</span>.</p></li><li class="step" title="Step 13"><p>Click on <span class="guibutton">OK</span>.</p></li><li class="step" title="Step 14"><p>Close the whole console. You do not need to save the settings (this refers to the - console settings rather than the policies you have changed).</p></li><li class="step" title="Step 15"><p>Reboot.</p></li></ol></div></div></div></div><div class="sect2" title="User Profile Hive Cleanup Service"><div class="titlepage"><div><div><h3 class="title"><a name="id425966"></a>User Profile Hive Cleanup Service</h3></div></div></div><p> -There are certain situations that cause a cached local copy of roaming profile not to be deleted on exit, even if -the policy to force such deletion is set. To deal with that situation, a special service was created. The application -<code class="literal">UPHClean</code> (User Profile Hive Cleanup) can be installed as a service on Windows NT4/2000/XP Professional -and Windows 2003. -</p><p> -The UPHClean software package can be downloaded from the User Profile Hive Cleanup -Service<sup>[<a name="id425987" href="#ftn.id425987" class="footnote">7</a>]</sup> -web site. -</p></div><div class="sect2" title="Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations"><div class="titlepage"><div><div><h3 class="title"><a name="id425996"></a>Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</h3></div></div></div><p> -<a class="indexterm" name="id426004"></a> -<a class="indexterm" name="id426011"></a> -Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an -evolving phenomenon, and profiles for later versions of MS Windows clients add features that may interfere -with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is -that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite -information that belongs to the newer version, resulting in loss of profile information content when that -user logs on again with the newer version of MS Windows. -</p><p> -If you then want to share the same Start Menu and Desktop with Windows 9x/Me, you must specify a common -location for the profiles. The <code class="filename">smb.conf</code> parameters that need to be common are -<a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path</a> and <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home</a>. -</p><p> -<a class="indexterm" name="id426058"></a> -<a class="indexterm" name="id426064"></a> -If you have this set up correctly, you will find separate <code class="filename">user.DAT</code> and -<code class="filename">NTuser.DAT</code> files in the same profile directory. -</p></div><div class="sect2" title="Profile Migration from Windows NT4/200x Server to Samba"><div class="titlepage"><div><div><h3 class="title"><a name="id426086"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div></div><p> -<a class="indexterm" name="id426094"></a> -There is nothing to stop you from specifying any path that you like for the location of users' profiles. -Therefore, you could specify that the profile be stored on a Samba server or any other SMB server, -as long as that SMB server supports encrypted passwords. -</p><div class="sect3" title="Windows NT4 Profile Management Tools"><div class="titlepage"><div><div><h4 class="title"><a name="profilemigrn"></a>Windows NT4 Profile Management Tools</h4></div></div></div><p> -<a class="indexterm" name="id426115"></a> -Unfortunately, the resource kit information is specific to the version of MS Windows NT4/200x. The -correct resource kit is required for each platform. -</p><p>Here is a quick guide:</p><div class="procedure" title="Procedure 27.1. Profile Migration Procedure"><a name="id426128"></a><p class="title"><b>Procedure 27.1. Profile Migration Procedure</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> On your NT4 domain controller, right-click on <span class="guiicon">My Computer</span>, then select - <span class="guilabel">Properties</span>, then the tab labeled <span class="guilabel">User Profiles</span>. </p></li><li class="step" title="Step 2"><p> Select a user profile you want to migrate and click on it. </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term <span class="quote">“<span class="quote">migrate</span>”</span> loosely. You can copy a profile to create a group - profile. You can give the user <em class="parameter"><code>Everyone</code></em> rights to the profile you copy this to. That - is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4 - PDC.</p></div></li><li class="step" title="Step 3"><p>Click on the <span class="guibutton">Copy To</span> button.</p></li><li class="step" title="Step 4"><p>In the box labeled <span class="guilabel">Copy Profile to</span> add your new path, such as, - <code class="filename">c:\temp\foobar</code></p></li><li class="step" title="Step 5"><p>Click on <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li class="step" title="Step 6"><p>Click on the group <span class="quote">“<span class="quote">Everyone</span>”</span>, click on <span class="guibutton">OK</span>. This - closes the <span class="quote">“<span class="quote">choose user</span>”</span> box.</p></li><li class="step" title="Step 7"><p>Now click on <span class="guibutton">OK</span>.</p></li></ol></div><p> -Follow these steps for every profile you need to migrate. -</p></div><div class="sect3" title="Side Bar Notes"><div class="titlepage"><div><div><h4 class="title"><a name="id426269"></a>Side Bar Notes</h4></div></div></div><p> -<a class="indexterm" name="id426277"></a> -<a class="indexterm" name="id426283"></a> -You should obtain the SID of your NT4 domain. You can use the <code class="literal">net rpc info</code> to do this. -See <a class="link" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">The Net Command Chapter</a>, <a class="link" href="NetCommand.html#netmisc1" title="Other Miscellaneous Operations">Other Miscellaneous Operations</a> for more information. -</p></div><div class="sect3" title="moveuser.exe"><div class="titlepage"><div><div><h4 class="title"><a name="id426318"></a>moveuser.exe</h4></div></div></div><p> -<a class="indexterm" name="id426326"></a> -The Windows 200x professional resource kit has <code class="literal">moveuser.exe</code>. -<code class="literal">moveuser.exe</code> changes the security of a profile from one user to another. This allows the -account domain to change and/or the username to change. -</p><p> -This command is like the Samba <code class="literal">profiles</code> tool. -</p></div><div class="sect3" title="Get SID"><div class="titlepage"><div><div><h4 class="title"><a name="id426358"></a>Get SID</h4></div></div></div><p> -<a class="indexterm" name="id426365"></a> -<a class="indexterm" name="id426372"></a> -You can identify the SID by using <code class="literal">GetSID.exe</code> from the Windows NT Server 4.0 Resource Kit. -</p><p> -Windows NT 4.0 stores the local profile information in the registry under the following key: -<code class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</code> -</p><p> -Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged -on to this computer. (To find the profile information for the user whose locally cached profile you want -to move, find the SID for the user with the <code class="literal">GetSID.exe</code> utility.) Inside the appropriate user's subkey, -you will see a string value named <em class="parameter"><code>ProfileImagePath</code></em>. -</p></div></div></div><div class="sect1" title="Mandatory Profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id426418"></a>Mandatory Profiles</h2></div></div></div><p> -<a class="indexterm" name="id426425"></a> -A mandatory profile is a profile that the user does not have the ability to overwrite. During the -user's session, it may be possible to change the desktop environment; however, as the user logs out, all changes -made will be lost. If it is desired to not allow the user any ability to change the desktop environment, -then this must be done through policy settings. See <a class="link" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account -Policies</a>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id426447"></a> -<a class="indexterm" name="id426453"></a> -<a class="indexterm" name="id426460"></a> -Under NO circumstances should the profile directory (or its contents) be made read-only because this may -render the profile unusable. Where it is essential to make a profile read-only within the UNIX file system, -this can be done, but then you absolutely must use the <code class="literal">fake-permissions</code> VFS module to -instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user. See <a class="link" href="VFS.html#fakeperms" title="fake_perms">fake_perms VFS module</a>. -</p></div><p> -<a class="indexterm" name="id426486"></a> -<a class="indexterm" name="id426493"></a> -For MS Windows NT4/200x/XP, the procedure shown in <a class="link" href="ProfileMgmt.html#profilemigrn" title="Windows NT4 Profile Management Tools">Profile Migration from Windows -NT4/200x Server to Samba</a> can also be used to create mandatory profiles. To convert a group profile into -a mandatory profile, simply locate the <code class="filename">NTUser.DAT</code> file in the copied profile and rename -it to <code class="filename">NTUser.MAN</code>. -</p><p> -<a class="indexterm" name="id426524"></a> -For MS Windows 9x/Me, it is the <code class="filename">User.DAT</code> file that must be renamed to -<code class="filename">User.MAN</code> to effect a mandatory profile. -</p></div><div class="sect1" title="Creating and Managing Group Profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id426546"></a>Creating and Managing Group Profiles</h2></div></div></div><p> -<a class="indexterm" name="id426554"></a> -<a class="indexterm" name="id426561"></a> -<a class="indexterm" name="id426567"></a> -<a class="indexterm" name="id426574"></a> -Most organizations are arranged into departments. There is a nice benefit in this fact, since usually -most users in a department require the same desktop applications and the same desktop layout. MS -Windows NT4/200x/XP will allow the use of group profiles. A group profile is a profile that is created -first using a template (example) user. Then using the profile migration tool (see above), the profile is -assigned access rights for the user group that needs to be given access to the group profile. -</p><p> -<a class="indexterm" name="id426593"></a> -The next step is rather important. Instead of assigning a group profile to users (Using User Manager) -on a <span class="quote">“<span class="quote">per-user</span>”</span> basis, the group itself is assigned the now modified profile. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Be careful with group profiles. If the user who is a member of a group also has a personal -profile, then the result will be a fusion (merge) of the two. -</p></div></div><div class="sect1" title="Default Profile for Windows Users"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id426613"></a>Default Profile for Windows Users</h2></div></div></div><p> -<a class="indexterm" name="id426620"></a> -<a class="indexterm" name="id426627"></a> -MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile -does not already exist. Armed with a knowledge of where the default profile is located on the Windows -workstation, and knowing which registry keys affect the path from which the default profile is created, -it is possible to modify the default profile to one that has been optimized for the site. This has -significant administrative advantages. -</p><div class="sect2" title="MS Windows 9x/Me"><div class="titlepage"><div><div><h3 class="title"><a name="id426639"></a>MS Windows 9x/Me</h3></div></div></div><p> -<a class="indexterm" name="id426647"></a> -<a class="indexterm" name="id426653"></a> -To enable default per-use profiles in Windows 9x/Me, you can either use the <span class="application">Windows -98 System Policy Editor</span> or change the registry directly. -</p><p> -To enable default per-user profiles in Windows 9x/Me, launch the <span class="application">System Policy -Editor</span>, then select <span class="guimenu">File</span> -> <span class="guimenuitem">Open Registry</span>. -Next click on the <span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>, -select <span class="guilabel">User Profiles</span>, and click on the enable box. Remember to save the registry -changes. -</p><p> -<a class="indexterm" name="id426711"></a> -To modify the registry directly, launch the <span class="application">Registry Editor</span> -(<code class="literal">regedit.exe</code>) and select the hive <code class="filename">HKEY_LOCAL_MACHINE\Network\Logon</code>. -Now add a DWORD type key with the name <span class="quote">“<span class="quote">User Profiles.</span>”</span> To enable user profiles to set the value -to 1; to disable user profiles set it to 0. -</p><div class="sect3" title="User Profile Handling with Windows 9x/Me"><div class="titlepage"><div><div><h4 class="title"><a name="id426742"></a>User Profile Handling with Windows 9x/Me</h4></div></div></div><p> -When a user logs on to a Windows 9x/Me machine, the local profile path, -<code class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</code>, is checked -for an existing entry for that user. -</p><p> -If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached -version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified -directory if the location has been modified) on the server for the user profile. If a profile exists -in both locations, the newer of the two is used. If the user profile exists on the server but does not -exist on the local machine, the profile on the server is downloaded and used. If the user profile only -exists on the local machine, that copy is used. -</p><p> -If a user profile is not found in either location, the default user profile from the Windows -9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any -changes that the user made are written to the user's local profile. If the user has a roaming profile, -the changes are written to the user's profile on the server. -</p></div></div><div class="sect2" title="MS Windows NT4 Workstation"><div class="titlepage"><div><div><h3 class="title"><a name="id426778"></a>MS Windows NT4 Workstation</h3></div></div></div><p> -On MS Windows NT4, the default user profile is obtained from the location -<code class="filename">%SystemRoot%\Profiles</code>, which in a default installation will translate to -<code class="filename">C:\Windows NT\Profiles</code>. Under this directory on a clean install, there will be three -directories: <code class="filename">Administrator</code>, <code class="filename">All -Users,</code> and <code class="filename">Default -User</code>. -</p><p> -The <code class="filename">All Users</code> directory contains menu settings that are common across all -system users. The <code class="filename">Default User</code> directory contains menu entries that are customizable -per user depending on the profile settings chosen/created. -</p><p> -When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>All Users settings.</p></li><li class="listitem"><p>Default User settings (contains the default <code class="filename">NTUser.DAT</code> file).</p></li></ul></div><p> -<a class="indexterm" name="id426859"></a> -When a user logs on to an MS Windows NT4 machine that is a member of a Microsoft security domain, -the following steps are followed for profile handling: -</p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> The user's account information that is obtained during the logon process - contains the location of the user's desktop profile. The profile path may be local to - the machine or it may be located on a network share. If there exists a profile at the - location of the path from the user account, then this profile is copied to the location - <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code>. This profile then inherits the settings - in the <code class="filename">All Users</code> profile in the <code class="filename">%SystemRoot%\Profiles</code> - location. </p></li><li class="step" title="Step 2"><p> If the user account has a profile path, but at its location a profile does not - exist, then a new profile is created in the <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code> - directory from reading the <code class="filename">Default User</code> profile. </p></li><li class="step" title="Step 3"><p> -<a class="indexterm" name="id426929"></a> -<a class="indexterm" name="id426936"></a> -<a class="indexterm" name="id426943"></a> -<a class="indexterm" name="id426950"></a> -<a class="indexterm" name="id426956"></a> - If the NETLOGON share on the authenticating server (logon server) contains - a policy file (<code class="filename">NTConfig.POL</code>), then its contents are applied to the - <code class="filename">NTUser.DAT</code>, which is applied to the <code class="filename">HKEY_CURRENT_USER</code> - part of the registry. - </p></li><li class="step" title="Step 4"><p> When the user logs out, if the profile is set to be a roaming profile, it will be - written out to the location of the profile. The <code class="filename">NTuser.DAT</code> file is then - re-created from the contents of the <code class="filename">HKEY_CURRENT_USER</code> contents. Thus, - should there not exist in the NETLOGON share an <code class="filename">NTConfig.POL</code> at the next - logon, the effect of the previous <code class="filename">NTConfig.POL</code> will still be held in the - profile. The effect of this is known as tattooing. - </p></li></ol></div><p> -MS Windows NT4 profiles may be <span class="emphasis"><em>local</em></span> or <span class="emphasis"><em>roaming</em></span>. A local -profile is stored in the <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code> location. A roaming -profile will also remain stored in the same way, unless the following registry key is created: -</p><pre class="screen"> -HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ -winlogon\"DeleteRoamingCache"=dword:0000000 -</pre><p> -In this case, the local copy (in <code class="filename">%SystemRoot%\Profiles\%USERNAME%</code>) will be deleted -on logout. -</p><p> -<a class="indexterm" name="id427055"></a> -Under MS Windows NT4, default locations for common resources like <code class="filename">My Documents</code> -may be redirected to a network share by modifying the following registry keys. These changes may be -made via use of the System Policy Editor. To do so may require that you create your own template -extension for the Policy Editor to allow this to be done through the GUI. Another way to do this is by -first creating a default user profile, then while logged in as that user, running <code class="literal">regedt32</code> to edit -the key settings. -</p><p> -The Registry Hive key that affects the behavior of folders that are part of the default user -profile are controlled by entries on Windows NT4 is: -</p><pre class="screen"> -HKEY_CURRENT_USER - \Software - \Microsoft - \Windows - \CurrentVersion - \Explorer - \User Shell Folders -</pre><p> -<a class="indexterm" name="id427088"></a> -</p><p> The above hive key contains a list of automatically managed -folders. The default entries are shown in <a class="link" href="ProfileMgmt.html#ProfileLocs" title="Table 27.1. User Shell Folder Registry Keys Default Values">the next table</a>. -</p><div class="table"><a name="ProfileLocs"></a><p class="title"><b>Table 27.1. User Shell Folder Registry Keys Default Values</b></p><div class="table-contents"><table summary="User Shell Folder Registry Keys Default Values" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu </td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div></div><br class="table-break"><p> The registry key that contains the location of the default profile settings is: -</p><pre class="screen"> -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ -User Shell Folders -</pre><p> -</p><p> -The default entries are shown in <a class="link" href="ProfileMgmt.html#regkeys" title="Table 27.2. Defaults of Profile Settings Registry Keys">Defaults of Profile Settings Registry Keys</a>. -</p><div class="table"><a name="regkeys"></a><p class="title"><b>Table 27.2. Defaults of Profile Settings Registry Keys</b></p><div class="table-contents"><table summary="Defaults of Profile Settings Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><tbody><tr><td align="left">Common Desktop</td><td align="left">%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td align="left">Common Programs</td><td align="left">%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td align="left">Common Start Menu</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td align="left">Common Startup</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="MS Windows 200x/XP"><div class="titlepage"><div><div><h3 class="title"><a name="id427303"></a>MS Windows 200x/XP</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id427312"></a> -<a class="indexterm" name="id427318"></a> -<a class="indexterm" name="id427325"></a> -<a class="indexterm" name="id427332"></a> -MS Windows XP Home Edition does use default per-user profiles, but cannot participate -in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only -from itself. While there are benefits in doing this, the beauty of those MS Windows clients that -can participate in domain logon processes is that they allow the administrator to create a global default -profile and enforce it through the use of Group Policy Objects (GPOs). -</p></div><p> -<a class="indexterm" name="id427346"></a> -When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from -<code class="filename">C:\Documents and Settings\Default User</code>. The administrator can modify or change the -contents of this location, and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement, -since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. -</p><p> -<a class="indexterm" name="id427365"></a> -When MS Windows 200x/XP participates in a domain security context, and if the default user profile is not -found, then the client will search for a default profile in the NETLOGON share of the authenticating server. -In MS Windows parlance, it is <code class="filename">%LOGONSERVER%\NETLOGON\Default User,</code> -and if one exists there, it will copy this to the workstation in the <code class="filename">C:\Documents and -Settings\</code> under the Windows login name of the use. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> This path translates, in Samba parlance, to the <code class="filename">smb.conf</code> -<em class="parameter"><code>[NETLOGON]</code></em> share. The directory should be created at the root -of this share and must be called <code class="filename">Default User</code>. -</p></div><p> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local -default profile. </p><p> On logging out, the user's desktop profile is stored to the location specified in the registry -settings that pertain to the user. If no specific policies have been created or passed to the client -during the login process (as Samba does automatically), then the user's profile is written to the -local machine only under the path <code class="filename">C:\Documents and Settings\%USERNAME%</code>. </p><p> Those wishing to modify the default behavior can do so through these three methods: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> Modify the registry keys on the local machine manually and place the new - default profile in the NETLOGON share root. This is not recommended because it is maintenance intensive. - </p></li><li class="listitem"><p> Create an NT4-style NTConfig.POL file that specifies this behavior and locate - this file in the root of the NETLOGON share along with the new default profile. </p></li><li class="listitem"><p> Create a GPO that enforces this through Active Directory, and place the new - default profile in the NETLOGON share. </p></li></ul></div><p>The registry hive key that affects the behavior of folders that are part of the default user -profile are controlled by entries on Windows 200x/XP is: </p><p> <code class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell -Folders\</code> </p><p> -This hive key contains a list of automatically managed folders. The default entries are shown -in <a class="link" href="ProfileMgmt.html#defregpthkeys" title="Table 27.3. Defaults of Default User Profile Paths Registry Keys">the next table</a> -<a class="indexterm" name="id427485"></a> -</p><div class="table"><a name="defregpthkeys"></a><p class="title"><b>Table 27.3. Defaults of Default User Profile Paths Registry Keys</b></p><div class="table-contents"><table summary="Defaults of Default User Profile Paths Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Cache</td><td align="left">%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td align="left">Cookies</td><td align="left">%USERPROFILE%\Cookies</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">History</td><td align="left">%USERPROFILE%\Local Settings\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td align="left">Local Settings</td><td align="left">%USERPROFILE%\Local Settings</td></tr><tr><td align="left">My Pictures</td><td align="left">%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">Personal</td><td align="left">%USERPROFILE%\My Documents</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu</td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td align="left">Templates</td><td align="left">%USERPROFILE%\Templates</td></tr></tbody></table></div></div><br class="table-break"><p> There is also an entry called <span class="quote">“<span class="quote">Default</span>”</span> that has no value set. The default entry is -of type <code class="constant">REG_SZ</code>; all the others are of type <code class="constant">REG_EXPAND_SZ</code>. </p><p> It makes a huge difference to the speed of handling roaming user profiles if all the folders are -stored on a dedicated location on a network server. This means that it will not be necessary to write -the Outlook PST file over the network for every login and logout. </p><p> -To set this to a network location, you could use the following examples: -</p><pre class="screen"> -%LOGONSERVER%\%USERNAME%\Default Folders -</pre><p> -This stores the folders in the user's home directory under a directory called <code class="filename">Default -Folders</code>. You could also use: -</p><pre class="screen"> -\\<em class="replaceable"><code>SambaServer</code></em>\<em class="replaceable"><code>FolderShare</code></em>\%USERNAME% -</pre><p> -</p><p> -in which case the default folders are stored in the server named <em class="replaceable"><code>SambaServer</code></em> -in the share called <em class="replaceable"><code>FolderShare</code></em> under a directory that has the name of the -MS Windows user as seen by the Linux/UNIX file system. </p><p> Please note that once you have created a default profile share, you <span class="emphasis"><em>must</em></span> migrate a user's profile -(default or custom) to it. </p><p> MS Windows 200x/XP profiles may be <span class="emphasis"><em>local</em></span> or <span class="emphasis"><em>roaming</em></span>. - A roaming profile is cached locally unless the following registry key is created: - -<a class="indexterm" name="id427743"></a> -</p><p> </p><pre class="programlisting"> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ - winlogon\"DeleteRoamingCache"=dword:00000001</pre><p> -In this case, the local cache copy is deleted on logout. -</p></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id427765"></a>Common Errors</h2></div></div></div><p> -The following are some typical errors, problems, and questions that have been asked on the Samba mailing lists. -</p><div class="sect2" title="Configuring Roaming Profiles for a Few Users or Groups"><div class="titlepage"><div><div><h3 class="title"><a name="id427775"></a>Configuring Roaming Profiles for a Few Users or Groups</h3></div></div></div><p> -With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a -global-only setting. The default is to have roaming profiles, and the default path will locate them in -the user's home directory. -</p><p> -If disabled globally, then no one will have roaming profile ability. If enabled and you want it -to apply only to certain machines, then on those machines on which roaming profile support is not wanted, -it is necessary to disable roaming profile handling in the registry of each such machine. -</p><p> -With Samba-3, you can have a global profile setting in <code class="filename">smb.conf</code>, and you can override this by -per-user settings using the Domain User Manager (as with MS Windows NT4/200x). </p><p> In any case, you can configure only one profile per user. That profile can be either: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A profile unique to that user.</p></li><li class="listitem"><p>A mandatory profile (one the user cannot change).</p></li><li class="listitem"><p>A group profile (really should be mandatory that is, unchangable).</p></li></ul></div></div><div class="sect2" title="Cannot Use Roaming Profiles"><div class="titlepage"><div><div><h3 class="title"><a name="id427829"></a>Cannot Use Roaming Profiles</h3></div></div></div><p> A user requested the following: <span class="quote">“<span class="quote"> I do not want roaming profiles to be implemented. I want -to give users a local profile alone. I am totally lost with this error. For the past -two days I tried everything, I googled around but found no useful pointers. Please help me. </span>”</span></p><p> The choices are: </p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p> I know of no registry keys that will allow - autodeletion of LOCAL profiles on log out.</p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p> As a user logs onto the network, a centrally - stored profile is copied to the workstation to form a local profile. This local profile - will persist (remain on the workstation disk) unless a registry key is changed that will - cause this profile to be automatically deleted on logout. </p></dd></dl></div><p>The roaming profile choices are: </p><div class="variablelist"><dl><dt><span class="term">Personal roaming profiles</span></dt><dd><p> These are typically stored in - a profile share on a central (or conveniently located local) server. </p><p> Workstations cache (store) a local copy of the profile. This cached - copy is used when the profile cannot be downloaded at next logon. </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>These are loaded from a central profile - server.</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p> Mandatory profiles can be created for - a user as well as for any group that a user is a member of. Mandatory profiles cannot be - changed by ordinary users. Only the administrator can change or reconfigure a mandatory - profile. </p></dd></dl></div><p> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are -most often part of the profile and can be many gigabytes in size. On average (in a well controlled environment), -roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined -environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a -workstation, but they harvest the fruits of folly (and ignorance). </p><p> The point of this discussion is to show that roaming profiles and good controls of how they can be -changed as well as good discipline make for a problem-free site. </p><p> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This -removes the need for a PST file. </p><p>Local profiles mean: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>If each machine is used by many users, then much local disk storage is needed - for local profiles.</p></li><li class="listitem"><p>Every workstation the user logs into has - its own profile; these can be very different from machine to machine.</p></li></ul></div><p> On the other hand, use of roaming profiles means: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>The network administrator can control the desktop environment of all users.</p></li><li class="listitem"><p>Use of mandatory profiles drastically reduces network management overheads.</p></li><li class="listitem"><p>In the long run, users will experience fewer problems.</p></li></ul></div></div><div class="sect2" title="Changing the Default Profile"><div class="titlepage"><div><div><h3 class="title"><a name="id427978"></a>Changing the Default Profile</h3></div></div></div><p><span class="quote">“<span class="quote">When the client logs onto the domain controller, it searches -for a profile to download. Where do I put this default profile?</span>”</span></p><p> -<a class="indexterm" name="id427991"></a> -First, the Samba server needs to be configured as a domain controller. This can be done by -setting in <code class="filename">smb.conf</code>: </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id428011"></a><em class="parameter"><code>security = user</code></em></td></tr><tr><td><a class="indexterm" name="id428022"></a><em class="parameter"><code>os level = 32 (or more)</code></em></td></tr><tr><td><a class="indexterm" name="id428034"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr></table><p> There must be a <em class="parameter"><code>[netlogon]</code></em> share that is world readable. It is -a good idea to add a logon script to preset printer and drive connections. There is also a facility -for automatically synchronizing the workstation time clock with that of the logon server (another good -thing to do). </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> To invoke autodeletion of roaming profiles from the local workstation cache (disk storage), use -the <span class="application">Group Policy Editor</span> to create a file called <code class="filename">NTConfig.POL</code> -with the appropriate entries. This file needs to be located in the <em class="parameter"><code>netlogon</code></em> -share root directory.</p></div><p> Windows clients need to be members of the domain. Workgroup machines do not use network logons, -so they do not interoperate with domain profiles. </p><p> For roaming profiles, add to <code class="filename">smb.conf</code>: </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id428100"></a><em class="parameter"><code>logon path = \\%N\profiles\%U</code></em></td></tr><tr><td># Default logon drive is Z:</td></tr><tr><td><a class="indexterm" name="id428115"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td># This requires a PROFILES share that is world writable.</td></tr></table></div><div class="sect2" title="Debugging Roaming Profiles and NT4-style Domain Policies"><div class="titlepage"><div><div><h3 class="title"><a name="id428131"></a>Debugging Roaming Profiles and NT4-style Domain Policies</h3></div></div></div><p> -Roaming profiles and domain policies are implemented via <code class="literal">USERENV.DLL</code>. -Microsoft Knowledge Base articles <a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;221833" target="_top">221833</a> and -<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;154120" target="_top">154120</a> - describe how to instruct that DLL to debug the login process. -</p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id425987" href="#id425987" class="para">7</a>] </sup>http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 26. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 28. PAM-Based Distributed Authentication</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/SWAT.html b/docs/htmldocs/Samba3-HOWTO/SWAT.html deleted file mode 100644 index 65351b6e28..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/SWAT.html +++ /dev/null @@ -1,399 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. SWAT: The Samba Web Administration Tool</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="NT4Migration.html" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. SWAT: The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 37. SWAT: The Samba Web Administration Tool"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 37. SWAT: The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="SWAT.html#id443273">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SWAT.html#id443386">Guidelines and Technical Tips</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id443404">Validate SWAT Installation</a></span></dt><dt><span class="sect2"><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id443982">Securing SWAT through SSL</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="SWAT.html#id444313">Overview and Quick Tour</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id444324">The SWAT Home Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444377">Global Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444473">Share Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444525">Printers Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444577">The SWAT Wizard</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444633">The Status Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444672">The View Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444690">The Password Change Page</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id443242"></a> -<a class="indexterm" name="id443249"></a> -<a class="indexterm" name="id443255"></a> -There are many and varied opinions regarding the usefulness of SWAT. No matter how hard one tries to produce -the perfect configuration tool, it remains an object of personal taste. SWAT is a tool that allows Web-based -configuration of Samba. It has a wizard that may help to get Samba configured quickly, it has -context-sensitive help on each <code class="filename">smb.conf</code> parameter, it provides for monitoring of current state of connection -information, and it allows networkwide MS Windows network password management. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id443273"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id443281"></a> -SWAT is a facility that is part of the Samba suite. The main executable is called -<code class="literal">swat</code> and is invoked by the internetworking super daemon. -See <a class="link" href="SWAT.html#xinetd" title="Enabling SWAT for Use">appropriate section</a> for details. -</p><p> -<a class="indexterm" name="id443307"></a> -SWAT uses integral Samba components to locate parameters supported by the particular -version of Samba. Unlike tools and utilities that are external to Samba, SWAT is always -up to date as known Samba parameters change. SWAT provides context-sensitive help for each -configuration parameter, directly from <code class="literal">man</code> page entries. -</p><p> -<a class="indexterm" name="id443325"></a> -<a class="indexterm" name="id443332"></a> -<a class="indexterm" name="id443339"></a> -Some network administrators believe that it is a good idea to write systems -documentation inside configuration files, and for them SWAT will always be a nasty tool. SWAT -does not store the configuration file in any intermediate form; rather, it stores only the -parameter settings, so when SWAT writes the <code class="filename">smb.conf</code> file to disk, it writes only -those parameters that are at other than the default settings. The result is that all comments, -as well as parameters that are no longer supported, will be lost from the <code class="filename">smb.conf</code> file. -Additionally, the parameters will be written back in internal ordering. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id443367"></a> -Before using SWAT, please be warned SWAT will completely replace your <code class="filename">smb.conf</code> with -a fully optimized file that has been stripped of all comments you might have placed there -and only nondefault settings will be written to the file. -</p></div></div><div class="sect1" title="Guidelines and Technical Tips"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id443386"></a>Guidelines and Technical Tips</h2></div></div></div><p> -<a class="indexterm" name="id443394"></a> -This section aims to unlock the dark secrets behind how SWAT may be made to work, -how it can be made more secure, and how to solve internationalization support problems. -</p><div class="sect2" title="Validate SWAT Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id443404"></a>Validate SWAT Installation</h3></div></div></div><p> -<a class="indexterm" name="id443411"></a> -The very first step that should be taken before attempting to configure a host -system for SWAT operation is to check that it is installed. This may seem a trivial -point to some, but several Linux distributions do not install SWAT by default, -even though they do ship an installable binary support package containing SWAT -on the distribution media. -</p><p> -<a class="indexterm" name="id443424"></a> -When you have confirmed that SWAT is installed, it is necessary to validate -that the installation includes the binary <code class="literal">swat</code> file as well -as all the supporting text and Web files. A number of operating system distributions -in the past have failed to include the necessary support files, even though the -<code class="literal">swat</code> binary executable file was installed. -</p><p> -<a class="indexterm" name="id443449"></a> -<a class="indexterm" name="id443456"></a> -Finally, when you are sure that SWAT has been fully installed, please check that SWAT -is enabled in the control file for the internetworking super-daemon (inetd or xinetd) -that is used on your operating system platform. -</p><div class="sect3" title="Locating the SWAT File"><div class="titlepage"><div><div><h4 class="title"><a name="id443466"></a>Locating the <code class="literal">SWAT</code> File</h4></div></div></div><p> -<a class="indexterm" name="id443480"></a> -<a class="indexterm" name="id443486"></a> -<a class="indexterm" name="id443493"></a> -To validate that SWAT is installed, first locate the <code class="literal">swat</code> binary -file on the system. It may be found under the following directories:</p><table border="0" summary="Simple list" class="simplelist"><tr><td><code class="filename">/usr/local/samba/bin</code> the default Samba location</td></tr><tr><td><code class="filename">/usr/sbin</code> the default location on most Linux systems</td></tr><tr><td><code class="filename">/opt/samba/bin</code></td></tr></table><p> -</p><p> -The actual location is much dependent on the choice of the operating system vendor or as determined -by the administrator who compiled and installed Samba. -</p><p> -There are a number of methods that may be used to locate the <code class="literal">swat</code> binary file. -The following methods may be helpful. -</p><p> -<a class="indexterm" name="id443561"></a> -<a class="indexterm" name="id443568"></a> -<a class="indexterm" name="id443575"></a> -If <code class="literal">swat</code> is in your current operating system search path, it will be easy to -find it. You can ask what are the command-line options for <code class="literal">swat</code> as shown here: -</p><pre class="screen"> -frodo:~ # swat -? -Usage: swat [OPTION...] - -a, --disable-authentication Disable authentication (demo mode) - -Help options: - -?, --help Show this help message - --usage Display brief usage message - -Common samba options: - -d, --debuglevel=DEBUGLEVEL Set debug level - -s, --configfile=CONFIGFILE Use alternative configuration file - -l, --log-basename=LOGFILEBASE Basename for log/debug files - -V, --version Print version -</pre><p> -</p></div><div class="sect3" title="Locating the SWAT Support Files"><div class="titlepage"><div><div><h4 class="title"><a name="id443611"></a>Locating the SWAT Support Files</h4></div></div></div><p> -Now that you have found that <code class="literal">swat</code> is in the search path, it is easy -to identify where the file is located. Here is another simple way this may be done: -</p><pre class="screen"> -frodo:~ # whereis swat -swat: /usr/sbin/swat /usr/share/man/man8/swat.8.gz -</pre><p> -</p><p> -If the above measures fail to locate the <code class="literal">swat</code> binary, another approach -is needed. The following may be used: -</p><pre class="screen"> -frodo:/ # find / -name swat -print -/etc/xinetd.d/swat -/usr/sbin/swat -/usr/share/samba/swat -frodo:/ # -</pre><p> -</p><p> -This list shows that there is a control file for <code class="literal">xinetd</code>, the internetwork -super-daemon that is installed on this server. The location of the SWAT binary file is -<code class="filename">/usr/sbin/swat</code>, and the support files for it are located under the -directory <code class="filename">/usr/share/samba/swat</code>. -</p><p> -We must now check where <code class="literal">swat</code> expects to find its support files. This can -be done as follows: -</p><pre class="screen"> -frodo:/ # strings /usr/sbin/swat | grep "/swat" -/swat/ -... -/usr/share/samba/swat -frodo:/ # -</pre><p> -</p><p> -The <code class="filename">/usr/share/samba/swat/</code> entry shown in this listing is the location of the -support files. You should verify that the support files exist under this directory. A sample -list is as shown: -</p><pre class="screen"> -jht@frodo:/> find /usr/share/samba/swat -print -/usr/share/samba/swat -/usr/share/samba/swat/help -/usr/share/samba/swat/lang -/usr/share/samba/swat/lang/ja -/usr/share/samba/swat/lang/ja/help -/usr/share/samba/swat/lang/ja/help/welcome.html -/usr/share/samba/swat/lang/ja/images -/usr/share/samba/swat/lang/ja/images/home.gif -... -/usr/share/samba/swat/lang/ja/include -/usr/share/samba/swat/lang/ja/include/header.nocss.html -... -/usr/share/samba/swat/lang/tr -/usr/share/samba/swat/lang/tr/help -/usr/share/samba/swat/lang/tr/help/welcome.html -/usr/share/samba/swat/lang/tr/images -/usr/share/samba/swat/lang/tr/images/home.gif -... -/usr/share/samba/swat/lang/tr/include -/usr/share/samba/swat/lang/tr/include/header.html -/usr/share/samba/swat/using_samba -... -/usr/share/samba/swat/images -/usr/share/samba/swat/images/home.gif -... -/usr/share/samba/swat/include -/usr/share/samba/swat/include/footer.html -/usr/share/samba/swat/include/header.html -jht@frodo:/> -</pre><p> -</p><p> -If the files needed are not available, it is necessary to obtain and install them -before SWAT can be used. -</p></div></div><div class="sect2" title="Enabling SWAT for Use"><div class="titlepage"><div><div><h3 class="title"><a name="xinetd"></a>Enabling SWAT for Use</h3></div></div></div><p> -SWAT should be installed to run via the network super-daemon. Depending on which system -your UNIX/Linux system has, you will have either an <code class="literal">inetd</code>- or -<code class="literal">xinetd</code>-based system. -</p><p> -The nature and location of the network super-daemon varies with the operating system -implementation. The control file (or files) can be located in the file -<code class="filename">/etc/inetd.conf</code> or in the directory <code class="filename">/etc/[x]inet[d].d</code> -or in a similar location. -</p><p> -The control entry for the older style file might be: -<a class="indexterm" name="id443773"></a> -</p><pre class="programlisting"> - # swat is the Samba Web Administration Tool - swat stream tcp nowait.400 root /usr/sbin/swat swat -</pre><p> -A control file for the newer style xinetd could be: -</p><p> -</p><pre class="programlisting"> -# default: off -# description: SWAT is the Samba Web Admin Tool. Use swat \ -# to configure your Samba server. To use SWAT, \ -# connect to port 901 with your favorite web browser. -service swat -{ - port = 901 - socket_type = stream - wait = no - only_from = localhost - user = root - server = /usr/sbin/swat - log_on_failure += USERID - disable = no -} -</pre><p> -In the above, the default setting for <em class="parameter"><code>disable</code></em> is <code class="constant">yes</code>. -This means that SWAT is disabled. To enable use of SWAT, set this parameter to <code class="constant">no</code> -as shown. -</p><p> -<a class="indexterm" name="id443823"></a> -<a class="indexterm" name="id443830"></a> -<a class="indexterm" name="id443836"></a> -<a class="indexterm" name="id443843"></a> -Both of the previous examples assume that the <code class="literal">swat</code> binary has been -located in the <code class="filename">/usr/sbin</code> directory. In addition to the above, -SWAT will use a directory access point from which it will load its Help files -as well as other control information. The default location for this on most Linux -systems is in the directory <code class="filename">/usr/share/samba/swat</code>. The default -location using Samba defaults will be <code class="filename">/usr/local/samba/swat</code>. -</p><p> -<a class="indexterm" name="id443880"></a> -<a class="indexterm" name="id443886"></a> -Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user, -the only permission allowed is to view certain aspects of configuration as well as -access to the password change facility. The buttons that will be exposed to the non-root -user are <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, and -<span class="guibutton">PASSWORD</span>. The only page that allows -change capability in this case is <span class="guibutton">PASSWORD</span>. -</p><p> -As long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span>, you should obtain -full change and commit ability. The buttons that will be exposed include -<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>, -<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, and <span class="guibutton">PASSWORD</span>. -</p></div><div class="sect2" title="Securing SWAT through SSL"><div class="titlepage"><div><div><h3 class="title"><a name="id443982"></a>Securing SWAT through SSL</h3></div></div></div><p> -<a class="indexterm" name="id443990"></a> -<a class="indexterm" name="id443996"></a> -Many people have asked about how to set up SWAT with SSL to allow for secure remote -administration of Samba. Here is a method that works, courtesy of Markus Krieger. -</p><p> -Modifications to the SWAT setup are as follows: -</p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> -<a class="indexterm" name="id444020"></a> - Install OpenSSL. - </p></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id444033"></a> -<a class="indexterm" name="id444040"></a> - Generate certificate and private key. -<a class="indexterm" name="id444047"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \ - /usr/share/doc/packages/stunnel/stunnel.cnf \ - -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</code></strong> -</pre></li><li class="step" title="Step 3"><p> - Remove SWAT entry from [x]inetd. - </p></li><li class="step" title="Step 4"><p> -<a class="indexterm" name="id444084"></a> - Start <code class="literal">stunnel</code>. - -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>stunnel -p /etc/stunnel/stunnel.pem -d 901 \ - -l /usr/local/samba/bin/swat swat </code></strong> -</pre></li></ol></div><p> -Afterward, simply connect to SWAT by using the URL <a class="ulink" href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate, and the SSL connection is up. -</p></div><div class="sect2" title="Enabling SWAT Internationalization Support"><div class="titlepage"><div><div><h3 class="title"><a name="id444127"></a>Enabling SWAT Internationalization Support</h3></div></div></div><p> -SWAT can be configured to display its messages to match the settings of -the language configurations of your Web browser. It will be passed to SWAT -in the Accept-Language header of the HTTP request. -</p><p> -To enable this feature: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Install the proper <code class="literal">msg</code> files from the Samba - <code class="filename">source/po</code> directory into $LIBDIR. - </p></li><li class="listitem"><p> - Set your browsers language setting. - </p></li></ul></div><p> -<a class="indexterm" name="id444168"></a> -<a class="indexterm" name="id444175"></a> -<a class="indexterm" name="id444182"></a> -<a class="indexterm" name="id444188"></a> -The name of the <code class="literal">msg</code> file is the same as the language ID sent by the browser. For -example, <span class="emphasis"><em>en</em></span> means English, <span class="emphasis"><em>ja</em></span> means Japanese, <span class="emphasis"><em>fr</em></span> means French. -</p><p> -<a class="indexterm" name="id444216"></a> -If you do not like some of messages, or there are no <code class="literal">msg</code> files for -your locale, you can create them simply by copying the <code class="literal">en.msg</code> files -to the directory for <span class="quote">“<span class="quote">your language ID.msg</span>”</span> and filling in proper strings -to each <span class="quote">“<span class="quote">msgstr</span>”</span>. For example, in <code class="filename">it.msg</code>, the -<code class="literal">msg</code> file for the Italian locale, just set: -</p><pre class="screen"> -msgid "Set Default" -msgstr "Imposta Default" -</pre><p> -<a class="indexterm" name="id444261"></a> -and so on. If you find a mistake or create a new <code class="literal">msg</code> file, please email it -to us so we will consider it in the next release of Samba. The <code class="literal">msg</code> file should be encoded in UTF-8. -</p><p> -<a class="indexterm" name="id444284"></a> -Note that if you enable this feature and the <a class="link" href="smb.conf.5.html#DISPLAYCHARSET" target="_top">display charset</a> is not -matched to your browser's setting, the SWAT display may be corrupted. In a future version of -Samba, SWAT will always display messages with UTF-8 encoding. You will then not need to set -this <code class="filename">smb.conf</code> file parameter. -</p></div></div><div class="sect1" title="Overview and Quick Tour"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id444313"></a>Overview and Quick Tour</h2></div></div></div><p> -SWAT is a tool that may be used to configure Samba or just to obtain useful links -to important reference materials such as the contents of this book as well as other -documents that have been found useful for solving Windows networking problems. -</p><div class="sect2" title="The SWAT Home Page"><div class="titlepage"><div><div><h3 class="title"><a name="id444324"></a>The SWAT Home Page</h3></div></div></div><p> -The SWAT title page provides access to the latest Samba documentation. The manual page for -each Samba component is accessible from this page, as are the Samba3-HOWTO (this -document) as well as the O'Reilly book <span class="quote">“<span class="quote">Using Samba.</span>”</span> -</p><p> -Administrators who wish to validate their Samba configuration may obtain useful information -from the man pages for the diagnostic utilities. These are available from the SWAT home page -also. One diagnostic tool that is not mentioned on this page but that is particularly -useful is <a class="ulink" href="http://www.ethereal.com/" target="_top"><code class="literal">ethereal</code></a>. -</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is not recommended -because it runs SWAT without authentication and with full administrative ability. It allows -changes to <code class="filename">smb.conf</code> as well as general operation with root privileges. The option that -creates this ability is the <code class="option">-a</code> flag to SWAT. <span class="emphasis"><em>Do not use this in a -production environment.</em></span> -</p></div></div><div class="sect2" title="Global Settings"><div class="titlepage"><div><div><h3 class="title"><a name="id444377"></a>Global Settings</h3></div></div></div><p> -The <span class="guibutton">GLOBALS</span> button exposes a page that allows configuration of the global parameters -in <code class="filename">smb.conf</code>. There are two levels of exposure of the parameters: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <span class="guibutton">Basic</span> exposes common configuration options. - </p></li><li class="listitem"><p> - <span class="guibutton">Advanced</span> exposes configuration options needed in more - complex environments. - </p></li></ul></div><p> -To switch to other than <span class="guibutton">Basic</span> editing ability, click on <span class="guibutton">Advanced</span>. -You may also do this by clicking on the radio button, then click on the <span class="guibutton">Commit Changes</span> button. -</p><p> -After making any changes to configuration parameters, make sure that -you click on the -<span class="guibutton">Commit Changes</span> button before moving to another area; otherwise, -your changes will be lost. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -SWAT has context-sensitive help. To find out what each parameter is -for, simply click on the -<span class="guibutton">Help</span> link to the left of the configuration parameter. -</p></div></div><div class="sect2" title="Share Settings"><div class="titlepage"><div><div><h3 class="title"><a name="id444473"></a>Share Settings</h3></div></div></div><p> -To affect a currently configured share, simply click on the pull-down button between the -<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons and -select the share you wish to operate on. To edit the settings, -click on the -<span class="guibutton">Choose Share</span> button. To delete the share, simply press the -<span class="guibutton">Delete Share</span> button. -</p><p> -To create a new share, next to the button labeled <span class="guibutton">Create Share</span>, enter -into the text field the name of the share to be created, then click on the -<span class="guibutton">Create Share</span> button. -</p></div><div class="sect2" title="Printers Settings"><div class="titlepage"><div><div><h3 class="title"><a name="id444525"></a>Printers Settings</h3></div></div></div><p> -To affect a currently configured printer, simply click on the pull-down button between the -<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons and -select the printer you wish to operate on. To edit the settings, -click on the -<span class="guibutton">Choose Printer</span> button. To delete the share, simply press the -<span class="guibutton">Delete Printer</span> button. -</p><p> -To create a new printer, next to the button labeled <span class="guibutton">Create Printer</span>, enter -into the text field the name of the share to be created, then click on the -<span class="guibutton">Create Printer</span> button. -</p></div><div class="sect2" title="The SWAT Wizard"><div class="titlepage"><div><div><h3 class="title"><a name="id444577"></a>The SWAT Wizard</h3></div></div></div><p> -The purpose of the SWAT Wizard is to help the Microsoft-knowledgeable network administrator -to configure Samba with a minimum of effort. -</p><p> -The Wizard page provides a tool for rewriting the <code class="filename">smb.conf</code> file in fully optimized format. -This will also happen if you press the <span class="guibutton">Commit</span> button. The two differ -because the <span class="guibutton">Rewrite</span> button ignores any changes that may have been made, -while the <span class="guibutton">Commit</span> button causes all changes to be affected. -</p><p> -The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of -options that may be necessary to create a working Samba server. -</p><p> -Finally, there are a limited set of options that determine what type of server Samba -will be configured for, whether it will be a WINS server, participate as a WINS client, or -operate with no WINS support. By clicking one button, you can elect to expose (or not) user -home directories. -</p></div><div class="sect2" title="The Status Page"><div class="titlepage"><div><div><h3 class="title"><a name="id444633"></a>The Status Page</h3></div></div></div><p> -The status page serves a limited purpose. First, it allows control of the Samba daemons. -The key daemons that create the Samba server environment are <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span>. -</p><p> -The daemons may be controlled individually or as a total group. Additionally, you may set -an automatic screen refresh timing. As MS Windows clients interact with Samba, new smbd processes -are continually spawned. The auto-refresh facility allows you to track the changing -conditions with minimal effort. -</p><p> -Finally, the status page may be used to terminate specific smbd client connections in order to -free files that may be locked. -</p></div><div class="sect2" title="The View Page"><div class="titlepage"><div><div><h3 class="title"><a name="id444672"></a>The View Page</h3></div></div></div><p> -The view page allows you to view the optimized <code class="filename">smb.conf</code> file and, if you are -particularly masochistic, permits you also to see all possible global configuration -parameters and their settings. -</p></div><div class="sect2" title="The Password Change Page"><div class="titlepage"><div><div><h3 class="title"><a name="id444690"></a>The Password Change Page</h3></div></div></div><p> -The password change page is a popular tool that allows the creation, deletion, deactivation, -and reactivation of MS Windows networking users on the local machine. You can also use -this tool to change a local password for a user account. -</p><p> -When logged in as a non-root account, the user must provide the old password as well as -the new password (twice). When logged in as <span class="emphasis"><em>root</em></span>, only the new password is -required. -</p><p> -One popular use for this tool is to change user passwords across a range of remote MS Windows -servers. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/SambaHA.html b/docs/htmldocs/Samba3-HOWTO/SambaHA.html deleted file mode 100644 index 8d77f64d59..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/SambaHA.html +++ /dev/null @@ -1,271 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. High Availability</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="Backup.html" title="Chapter 31. Backup Techniques"><link rel="next" href="largefile.html" title="Chapter 33. Handling Large Directories"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. High Availability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="largefile.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 32. High Availability"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 32. High Availability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="SambaHA.html#id434489">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SambaHA.html#id434596">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="SambaHA.html#id434627">The Ultimate Goal</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id434749">Why Is This So Hard?</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435417">A Simple Solution</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435490">High-Availability Server Products</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435618">MS-DFS: The Poor Man's Cluster</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435651">Conclusions</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id434489"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id434496"></a> -<a class="indexterm" name="id434503"></a> -<a class="indexterm" name="id434510"></a> -Network administrators are often concerned about the availability of file and print -services. Network users are inclined toward intolerance of the services they depend -on to perform vital task responsibilities. -</p><p> -A sign in a computer room served to remind staff of their responsibilities. It read: -</p><div class="blockquote"><blockquote class="blockquote"><p> -<a class="indexterm" name="id434528"></a> -<a class="indexterm" name="id434535"></a> -<a class="indexterm" name="id434542"></a> -<a class="indexterm" name="id434548"></a> -All humans fail, in both great and small ways we fail continually. Machines fail too. -Computers are machines that are managed by humans, the fallout from failure -can be spectacular. Your responsibility is to deal with failure, to anticipate it -and to eliminate it as far as is humanly and economically wise to achieve. -Are your actions part of the problem or part of the solution? -</p></blockquote></div><p> -If we are to deal with failure in a planned and productive manner, then first we must -understand the problem. That is the purpose of this chapter. -</p><p> -<a class="indexterm" name="id434567"></a> -<a class="indexterm" name="id434574"></a> -<a class="indexterm" name="id434581"></a> -Parenthetically, in the following discussion there are seeds of information on how to -provision a network infrastructure against failure. Our purpose here is not to provide -a lengthy dissertation on the subject of high availability. Additionally, we have made -a conscious decision to not provide detailed working examples of high availability -solutions; instead we present an overview of the issues in the hope that someone will -rise to the challenge of providing a detailed document that is focused purely on -presentation of the current state of knowledge and practice in high availability as it -applies to the deployment of Samba and other CIFS/SMB technologies. -</p></div><div class="sect1" title="Technical Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id434596"></a>Technical Discussion</h2></div></div></div><p> -<a class="indexterm" name="id434603"></a> -<a class="indexterm" name="id434610"></a> -<a class="indexterm" name="id434617"></a> -The following summary was part of a presentation by Jeremy Allison at the SambaXP 2003 -conference that was held at Goettingen, Germany, in April 2003. Material has been added -from other sources, but it was Jeremy who inspired the structure that follows. -</p><div class="sect2" title="The Ultimate Goal"><div class="titlepage"><div><div><h3 class="title"><a name="id434627"></a>The Ultimate Goal</h3></div></div></div><p> -<a class="indexterm" name="id434635"></a> -<a class="indexterm" name="id434642"></a> -<a class="indexterm" name="id434648"></a> - All clustering technologies aim to achieve one or more of the following: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Obtain the maximum affordable computational power.</p></li><li class="listitem"><p>Obtain faster program execution.</p></li><li class="listitem"><p>Deliver unstoppable services.</p></li><li class="listitem"><p>Avert points of failure.</p></li><li class="listitem"><p>Exact most effective utilization of resources.</p></li></ul></div><p> - A clustered file server ideally has the following properties: -<a class="indexterm" name="id434687"></a> -<a class="indexterm" name="id434693"></a> -<a class="indexterm" name="id434700"></a> -<a class="indexterm" name="id434707"></a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>All clients can connect transparently to any server.</p></li><li class="listitem"><p>A server can fail and clients are transparently reconnected to another server.</p></li><li class="listitem"><p>All servers serve out the same set of files.</p></li><li class="listitem"><p>All file changes are immediately seen on all servers.</p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>Requires a distributed file system.</p></li></ul></div></li><li class="listitem"><p>Infinite ability to scale by adding more servers or disks.</p></li></ul></div></div><div class="sect2" title="Why Is This So Hard?"><div class="titlepage"><div><div><h3 class="title"><a name="id434749"></a>Why Is This So Hard?</h3></div></div></div><p> - In short, the problem is one of <span class="emphasis"><em>state</em></span>. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id434768"></a> - All TCP/IP connections are dependent on state information. - </p><p> -<a class="indexterm" name="id434779"></a> - The TCP connection involves a packet sequence number. This - sequence number would need to be dynamically updated on all - machines in the cluster to effect seamless TCP failover. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id434794"></a> -<a class="indexterm" name="id434801"></a> - CIFS/SMB (the Windows networking protocols) uses TCP connections. - </p><p> - This means that from a basic design perspective, failover is not - seriously considered. - </p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p> - All current SMB clusters are failover solutions - they rely on the clients to reconnect. They provide server - failover, but clients can lose information due to a server failure. -<a class="indexterm" name="id434823"></a> - </p></li></ul></div><p> - </p></li><li class="listitem"><p> - Servers keep state information about client connections. - </p><div class="itemizedlist"><a class="indexterm" name="id434840"></a><ul class="itemizedlist" type="circle"><li class="listitem"><p>CIFS/SMB involves a lot of state.</p></li><li class="listitem"><p>Every file open must be compared with other open files - to check share modes.</p></li></ul></div><p> - </p></li></ul></div><div class="sect3" title="The Front-End Challenge"><div class="titlepage"><div><div><h4 class="title"><a name="id434861"></a>The Front-End Challenge</h4></div></div></div><p> -<a class="indexterm" name="id434869"></a> -<a class="indexterm" name="id434875"></a> -<a class="indexterm" name="id434882"></a> -<a class="indexterm" name="id434889"></a> -<a class="indexterm" name="id434896"></a> -<a class="indexterm" name="id434903"></a> -<a class="indexterm" name="id434910"></a> - To make it possible for a cluster of file servers to appear as a single server that has one - name and one IP address, the incoming TCP data streams from clients must be processed by the - front-end virtual server. This server must de-multiplex the incoming packets at the SMB protocol - layer level and then feed the SMB packet to different servers in the cluster. - </p><p> -<a class="indexterm" name="id434922"></a> -<a class="indexterm" name="id434929"></a> - One could split all IPC$ connections and RPC calls to one server to handle printing and user - lookup requirements. RPC printing handles are shared between different IPC4 sessions it is - hard to split this across clustered servers! - </p><p> - Conceptually speaking, all other servers would then provide only file services. This is a simpler - problem to concentrate on. - </p></div><div class="sect3" title="Demultiplexing SMB Requests"><div class="titlepage"><div><div><h4 class="title"><a name="id434948"></a>Demultiplexing SMB Requests</h4></div></div></div><p> -<a class="indexterm" name="id434956"></a> -<a class="indexterm" name="id434962"></a> -<a class="indexterm" name="id434969"></a> -<a class="indexterm" name="id434976"></a> - De-multiplexing of SMB requests requires knowledge of SMB state information, - all of which must be held by the front-end <span class="emphasis"><em>virtual</em></span> server. - This is a perplexing and complicated problem to solve. - </p><p> -<a class="indexterm" name="id434991"></a> -<a class="indexterm" name="id434998"></a> -<a class="indexterm" name="id435004"></a> - Windows XP and later have changed semantics so state information (vuid, tid, fid) - must match for a successful operation. This makes things simpler than before and is a - positive step forward. - </p><p> -<a class="indexterm" name="id435016"></a> -<a class="indexterm" name="id435023"></a> - SMB requests are sent by vuid to their associated server. No code exists today to - effect this solution. This problem is conceptually similar to the problem of - correctly handling requests from multiple requests from Windows 2000 - Terminal Server in Samba. - </p><p> -<a class="indexterm" name="id435036"></a> - One possibility is to start by exposing the server pool to clients directly. - This could eliminate the de-multiplexing step. - </p></div><div class="sect3" title="The Distributed File System Challenge"><div class="titlepage"><div><div><h4 class="title"><a name="id435046"></a>The Distributed File System Challenge</h4></div></div></div><p> -<a class="indexterm" name="id435054"></a> - There exists many distributed file systems for UNIX and Linux. - </p><p> -<a class="indexterm" name="id435064"></a> -<a class="indexterm" name="id435071"></a> -<a class="indexterm" name="id435078"></a> -<a class="indexterm" name="id435085"></a> -<a class="indexterm" name="id435092"></a> -<a class="indexterm" name="id435098"></a> - Many could be adopted to backend our cluster, so long as awareness of SMB - semantics is kept in mind (share modes, locking, and oplock issues in particular). - Common free distributed file systems include: -<a class="indexterm" name="id435107"></a> -<a class="indexterm" name="id435114"></a> -<a class="indexterm" name="id435121"></a> -<a class="indexterm" name="id435127"></a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>NFS</p></li><li class="listitem"><p>AFS</p></li><li class="listitem"><p>OpenGFS</p></li><li class="listitem"><p>Lustre</p></li></ul></div><p> -<a class="indexterm" name="id435158"></a> - The server pool (cluster) can use any distributed file system backend if all SMB - semantics are performed within this pool. - </p></div><div class="sect3" title="Restrictive Constraints on Distributed File Systems"><div class="titlepage"><div><div><h4 class="title"><a name="id435168"></a>Restrictive Constraints on Distributed File Systems</h4></div></div></div><p> -<a class="indexterm" name="id435176"></a> -<a class="indexterm" name="id435183"></a> -<a class="indexterm" name="id435190"></a> -<a class="indexterm" name="id435197"></a> - Where a clustered server provides purely SMB services, oplock handling - may be done within the server pool without imposing a need for this to - be passed to the backend file system pool. - </p><p> -<a class="indexterm" name="id435209"></a> -<a class="indexterm" name="id435215"></a> - On the other hand, where the server pool also provides NFS or other file services, - it will be essential that the implementation be oplock-aware so it can - interoperate with SMB services. This is a significant challenge today. A failure - to provide this interoperability will result in a significant loss of performance that will be - sorely noted by users of Microsoft Windows clients. - </p><p> - Last, all state information must be shared across the server pool. - </p></div><div class="sect3" title="Server Pool Communications"><div class="titlepage"><div><div><h4 class="title"><a name="id435235"></a>Server Pool Communications</h4></div></div></div><p> -<a class="indexterm" name="id435243"></a> -<a class="indexterm" name="id435249"></a> -<a class="indexterm" name="id435256"></a> -<a class="indexterm" name="id435263"></a> - Most backend file systems support POSIX file semantics. This makes it difficult - to push SMB semantics back into the file system. POSIX locks have different properties - and semantics from SMB locks. - </p><p> -<a class="indexterm" name="id435275"></a> -<a class="indexterm" name="id435281"></a> -<a class="indexterm" name="id435288"></a> - All <code class="literal">smbd</code> processes in the server pool must of necessity communicate - very quickly. For this, the current <em class="parameter"><code>tdb</code></em> file structure that Samba - uses is not suitable for use across a network. Clustered <code class="literal">smbd</code>s must use something else. - </p></div><div class="sect3" title="Server Pool Communications Demands"><div class="titlepage"><div><div><h4 class="title"><a name="id435316"></a>Server Pool Communications Demands</h4></div></div></div><p> - High-speed interserver communications in the server pool is a design prerequisite - for a fully functional system. Possibilities for this include: - </p><div class="itemizedlist"><a class="indexterm" name="id435329"></a><a class="indexterm" name="id435336"></a><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Proprietary shared memory bus (example: Myrinet or SCI [scalable coherent interface]). - These are high-cost items. - </p></li><li class="listitem"><p> - Gigabit Ethernet (now quite affordable). - </p></li><li class="listitem"><p> - Raw Ethernet framing (to bypass TCP and UDP overheads). - </p></li></ul></div><p> - We have yet to identify metrics for performance demands to enable this to happen - effectively. - </p></div><div class="sect3" title="Required Modifications to Samba"><div class="titlepage"><div><div><h4 class="title"><a name="id435366"></a>Required Modifications to Samba</h4></div></div></div><p> - Samba needs to be significantly modified to work with a high-speed server interconnect - system to permit transparent failover clustering. - </p><p> - Particular functions inside Samba that will be affected include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - The locking database, oplock notifications, - and the share mode database. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id435391"></a> -<a class="indexterm" name="id435398"></a> - Failure semantics need to be defined. Samba behaves the same way as Windows. - When oplock messages fail, a file open request is allowed, but this is - potentially dangerous in a clustered environment. So how should interserver - pool failure semantics function, and how should such functionality be implemented? - </p></li><li class="listitem"><p> - Should this be implemented using a point-to-point lock manager, or can this - be done using multicast techniques? - </p></li></ul></div></div></div><div class="sect2" title="A Simple Solution"><div class="titlepage"><div><div><h3 class="title"><a name="id435417"></a>A Simple Solution</h3></div></div></div><p> -<a class="indexterm" name="id435425"></a> -<a class="indexterm" name="id435432"></a> -<a class="indexterm" name="id435438"></a> - Allowing failover servers to handle different functions within the exported file system - removes the problem of requiring a distributed locking protocol. - </p><p> -<a class="indexterm" name="id435450"></a> -<a class="indexterm" name="id435457"></a> - If only one server is active in a pair, the need for high-speed server interconnect is avoided. - This allows the use of existing high-availability solutions, instead of inventing a new one. - This simpler solution comes at a price the cost of which is the need to manage a more - complex file name space. Since there is now not a single file system, administrators - must remember where all services are located a complexity not easily dealt with. - </p><p> -<a class="indexterm" name="id435477"></a> - The <span class="emphasis"><em>virtual server</em></span> is still needed to redirect requests to backend - servers. Backend file space integrity is the responsibility of the administrator. - </p></div><div class="sect2" title="High-Availability Server Products"><div class="titlepage"><div><div><h3 class="title"><a name="id435490"></a>High-Availability Server Products</h3></div></div></div><p> -<a class="indexterm" name="id435498"></a> -<a class="indexterm" name="id435504"></a> -<a class="indexterm" name="id435511"></a> -<a class="indexterm" name="id435518"></a> -<a class="indexterm" name="id435525"></a> - Failover servers must communicate in order to handle resource failover. This is essential - for high-availability services. The use of a dedicated heartbeat is a common technique to - introduce some intelligence into the failover process. This is often done over a dedicated - link (LAN or serial). - </p><p> -<a class="indexterm" name="id435537"></a> -<a class="indexterm" name="id435544"></a> -<a class="indexterm" name="id435551"></a> -<a class="indexterm" name="id435558"></a> -<a class="indexterm" name="id435565"></a> - Many failover solutions (like Red Hat Cluster Manager and Microsoft Wolfpack) - can use a shared SCSI of Fiber Channel disk storage array for failover communication. - Information regarding Red Hat high availability solutions for Samba may be obtained from - <a class="ulink" href="http://www.redhat.com/docs/manuals/enterprise/RHEL-AS-2.1-Manual/cluster-manager/s1-service-samba.html" target="_top">www.redhat.com</a>. - </p><p> -<a class="indexterm" name="id435583"></a> - The Linux High Availability project is a resource worthy of consultation if your desire is - to build a highly available Samba file server solution. Please consult the home page at - <a class="ulink" href="http://www.linux-ha.org/" target="_top">www.linux-ha.org/</a>. - </p><p> -<a class="indexterm" name="id435601"></a> -<a class="indexterm" name="id435608"></a> - Front-end server complexity remains a challenge for high availability because it must deal - gracefully with backend failures, while at the same time providing continuity of service - to all network clients. - </p></div><div class="sect2" title="MS-DFS: The Poor Man's Cluster"><div class="titlepage"><div><div><h3 class="title"><a name="id435618"></a>MS-DFS: The Poor Man's Cluster</h3></div></div></div><p> -<a class="indexterm" name="id435626"></a> -<a class="indexterm" name="id435633"></a> - MS-DFS links can be used to redirect clients to disparate backend servers. This pushes - complexity back to the network client, something already included by Microsoft. - MS-DFS creates the illusion of a simple, continuous file system name space that works even - at the file level. - </p><p> - Above all, at the cost of complexity of management, a distributed system (pseudo-cluster) can - be created using existing Samba functionality. - </p></div><div class="sect2" title="Conclusions"><div class="titlepage"><div><div><h3 class="title"><a name="id435651"></a>Conclusions</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Transparent SMB clustering is hard to do!</p></li><li class="listitem"><p>Client failover is the best we can do today.</p></li><li class="listitem"><p>Much more work is needed before a practical and manageable high-availability transparent cluster solution will be possible.</p></li><li class="listitem"><p>MS-DFS can be used to create the illusion of a single transparent cluster.</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="largefile.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Backup Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. Handling Large Directories</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ServerType.html b/docs/htmldocs/Samba3-HOWTO/ServerType.html deleted file mode 100644 index fb3ba6d744..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/ServerType.html +++ /dev/null @@ -1,471 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Server Types and Security Modes</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 4. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 3. Server Types and Security Modes"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 3. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ServerType.html#id330679">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id330822">Server Types</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id330959">Samba Security Modes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id331101">User Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331249">Share-Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331866">ADS Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331998">Server Security (User Level Security)</a></span></dt></dl></dd><dt><span class="sect1"><a href="ServerType.html#id332239">Password Checking</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id332395">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id332416">What Makes Samba a Server?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332443">What Makes Samba a Domain Controller?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332478">What Makes Samba a Domain Member?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332502">Constantly Losing Connections to Password Server</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332541">Stand-alone Server is converted to Domain Controller Now User accounts don't work</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id330648"></a> -<a class="indexterm" name="id330655"></a> -This chapter provides information regarding the types of server that Samba may be configured to be. A -Microsoft network administrator who wishes to migrate to or use Samba will want to know the meaning, within a -Samba context, of terms familiar to the MS Windows administrator. This means that it is essential also to -define how critical security modes function before we get into the details of how to configure the server -itself. -</p><p> -This chapter provides an overview of the security modes of which Samba is capable and how they relate to MS -Windows servers and clients. -</p><p> -A question often asked is, <span class="quote">“<span class="quote">Why would I want to use Samba?</span>”</span> Most chapters contain a section that -highlights features and benefits. We hope that the information provided will help to answer this question. Be -warned though, we want to be fair and reasonable, so not all features are positive toward Samba. The benefit -may be on the side of our competition. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330679"></a>Features and Benefits</h2></div></div></div><p> -Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It -hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion -and fury befitting his anguish. The other looked at the stone and said, <span class="quote">“<span class="quote">This is a garnet. -I can turn that into a precious gem and some day it will make a princess very happy!</span>”</span> -</p><p> -The moral of this tale: Two men, two very different perspectives regarding the same stone. -Like it or not, Samba is like that stone. Treat it the right way and it can bring great -pleasure, but if you are forced to use it and have no time for its secrets, then it can be -a source of discomfort. -</p><p> -<a class="indexterm" name="id330702"></a> -<a class="indexterm" name="id330710"></a> -Samba started out as a project that sought to provide interoperability for MS Windows 3.x -clients with a UNIX server. It has grown up a lot since its humble beginnings and now provides -features and functionality fit for large-scale deployment. It also has some warts. In sections -like this one, we tell of both. -</p><p> -So, what are the benefits of the features mentioned in this chapter? -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id330730"></a> - Samba-3 can replace an MS Windows NT4 domain controller. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330743"></a> - Samba-3 offers excellent interoperability with MS Windows NT4-style - domains as well as natively with Microsoft Active Directory domains. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330755"></a> - Samba-3 permits full NT4-style interdomain trusts. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330768"></a> - <a class="indexterm" name="id330774"></a> - Samba has security modes that permit more flexible authentication - than is possible with MS Windows NT4 domain controllers. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330788"></a> - <a class="indexterm" name="id330798"></a> - Samba-3 permits use of multiple concurrent account database backends. - (Encrypted passwords that are stored in the account database are in - formats that are unique to Windows networking). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id330811"></a> - The account database backends can be distributed - and replicated using multiple methods. This gives Samba-3 - greater flexibility than MS Windows NT4 and in many cases a - significantly higher utility than Active Directory domains - with MS Windows 200x. - </p></li></ul></div></div><div class="sect1" title="Server Types"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330822"></a>Server Types</h2></div></div></div><p> -<a class="indexterm" name="id330830"></a> -Administrators of Microsoft networks often refer to three different types of servers: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Domain Controller</p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>Primary Domain Controller (PDC)</p></li><li class="listitem"><p>Backup Domain Controller (BDC)</p></li><li class="listitem"><p>ADS Domain Controller</p></li></ul></div></li><li class="listitem"><p>Domain Member Server</p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>Active Directory Domain Server</p></li><li class="listitem"><p>NT4 Style Domain Domain Server</p></li></ul></div></li><li class="listitem"><p>Standalone Server</p></li></ul></div><p> -<a class="indexterm" name="id330886"></a> -<a class="indexterm" name="id330894"></a> -<a class="indexterm" name="id330903"></a> -<a class="indexterm" name="id330911"></a> -The chapters covering domain control (<a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>), -backup domain control (<a class="link" href="samba-bdc.html" title="Chapter 5. Backup Domain Control">Backup Domain Control</a>), and -domain membership (<a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>) provide -pertinent information regarding Samba configuration for each of these server roles. -You are strongly encouraged to become intimately familiar with these chapters because -they lay the foundation for deployment of Samba domain security. -</p><p> -<a class="indexterm" name="id330940"></a> -A Standalone server is autonomous in respect of the source of its account backend. -Refer to <a class="link" href="StandAloneServer.html" title="Chapter 7. Standalone Servers">Standalone Servers</a> to gain a wider appreciation -of what is meant by a server being configured as a <span class="emphasis"><em>standalone</em></span> server. -</p></div><div class="sect1" title="Samba Security Modes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id330959"></a>Samba Security Modes</h2></div></div></div><p> -<a class="indexterm" name="id330966"></a> -<a class="indexterm" name="id330973"></a> -In this section, the function and purpose of Samba's security modes are described. An accurate understanding of -how Samba implements each security mode as well as how to configure MS Windows clients for each mode will -significantly reduce user complaints and administrator heartache. -</p><p> -<a class="indexterm" name="id330985"></a> -<a class="indexterm" name="id330993"></a> -Microsoft Windows networking uses a protocol that was originally called the Server Message Block (SMB) -protocol. Since some time around 1996 the protocol has been better known as the Common Internet Filesystem -(CIFS) protocol. -</p><p> -<a class="indexterm" name="id331007"></a> -<a class="indexterm" name="id331013"></a> -<a class="indexterm" name="id331019"></a> -<a class="indexterm" name="id331026"></a> -In the SMB/CIFS networking world, there are only two types of security: <span class="emphasis"><em>user-level</em></span> and -<span class="emphasis"><em>share level</em></span>. We refer to these collectively as <span class="emphasis"><em>security levels</em></span>. In -implementing these two security levels, Samba provides flexibilities that are not available with MS Windows -NT4/200x servers. In fact, Samba implements <span class="emphasis"><em>share-level</em></span> security only one way, but has -four ways of implementing <span class="emphasis"><em>user-level</em></span> security. Collectively, we call the Samba -implementations of the security levels <span class="emphasis"><em>security modes</em></span>. They are known as -<span class="emphasis"><em>share</em></span>, <span class="emphasis"><em>user</em></span>, <span class="emphasis"><em>domain</em></span>, <span class="emphasis"><em>ADS</em></span>, -and <span class="emphasis"><em>server</em></span> modes. They are documented in this chapter. -</p><p> -An SMB server informs the client, at the time of a session setup, the security level the server is running. -There are two options: share-level and user-level. Which of these two the client receives affects the way the -client then tries to authenticate itself. It does not directly affect (to any great extent) the way the Samba -server does security. This may sound strange, but it fits in with the client/server approach of SMB. In SMB -everything is initiated and controlled by the client, and the server can only tell the client what is -available and whether an action is allowed. -</p><p> -The term <code class="literal">client</code> refers to all agents whether it is a Windows workstation, a Windows server, -another Samba server, or any vanilla SMB or CIFS client application (e.g., <code class="literal">smbclient</code>) that -make use of services provided by an SMB/CIFS server. -</p><div class="sect2" title="User Level Security"><div class="titlepage"><div><div><h3 class="title"><a name="id331101"></a>User Level Security</h3></div></div></div><p> -<a class="indexterm" name="id331108"></a> -We describe user-level security first because its simpler. In user-level security, the client sends a session -setup request directly following protocol negotiation. This request provides a username and password. The -server can either accept or reject that username/password combination. At this stage the server has no idea -what share the client will eventually try to connect to, so it can't base the -<span class="emphasis"><em>accept/reject</em></span> on anything other than: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>the username/password.</p></li><li class="listitem"><p>the name of the client machine.</p></li></ol></div><p> -<a class="indexterm" name="id331140"></a> -If the server accepts the username/password credentials, the client expects to be able to mount shares (using -a <span class="emphasis"><em>tree connection</em></span>) without further specifying a password. It expects that all access -rights will be as the username/password credentials set that was specified in the initial <span class="emphasis"><em>session -setup</em></span>. -</p><p> -<a class="indexterm" name="id331158"></a> -It is also possible for a client to send multiple <span class="emphasis"><em>session setup</em></span> -requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use -as an authentication tag for that username/password. The client can maintain multiple -authentication contexts in this way (WinDD is an example of an application that does this). -</p><p> -<a class="indexterm" name="id331177"></a> -<a class="indexterm" name="id331183"></a> -<a class="indexterm" name="id331189"></a> -<a class="indexterm" name="id331195"></a> -<a class="indexterm" name="id331202"></a> -Windows networking user account names are case-insensitive, meaning that upper-case and lower-case characters -in the account name are considered equivalent. They are said to be case-preserving, but not case significant. -Windows and LanManager systems previous to Windows NT version 3.10 have case-insensitive passwords that were -not necessarily case-preserving. All Windows NT family systems treat passwords as case-preserving and -case-sensitive. -</p><div class="sect3" title="Example Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id331213"></a>Example Configuration</h4></div></div></div><p> -The <code class="filename">smb.conf</code> parameter that sets user-level security is: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id331233"></a><em class="parameter"><code>security = user</code></em></td></tr></table><p> -This is the default setting since Samba-2.2.x. -</p></div></div><div class="sect2" title="Share-Level Security"><div class="titlepage"><div><div><h3 class="title"><a name="id331249"></a>Share-Level Security</h3></div></div></div><p> -<a class="indexterm" name="id331256"></a> -<a class="indexterm" name="id331262"></a> -In share-level security, the client authenticates itself separately for each share. It sends a password along -with each tree connection request (share mount), but it does not explicitly send a username with this -operation. The client expects a password to be associated with each share, independent of the user. This means -that Samba has to work out what username the client probably wants to use, -because the username is not explicitly sent to the SMB server. Some commercial SMB servers such as NT actually associate passwords directly with shares -in share-level security, but Samba always uses the UNIX authentication scheme where it is a username/password -pair that is authenticated, not a share/password pair. -</p><p> -To understand the MS Windows networking parallels, think in terms of MS Windows 9x/Me where you can create a -shared folder that provides read-only or full access, with or without a password. -</p><p> -Many clients send a session setup request even if the server is in share-level security. They normally send a valid -username but no password. Samba records this username in a list of possible usernames. When the client then -issues a tree connection request, it also adds to this list the name of the share they try to connect to (useful for -home directories) and any users listed in the <a class="link" href="smb.conf.5.html#USER" target="_top">user</a> parameter in the <code class="filename">smb.conf</code> file. -The password is then checked in turn against these possible usernames. If a match is found, then the client is -authenticated as that user. -</p><p> -<a class="indexterm" name="id331308"></a> -<a class="indexterm" name="id331317"></a> -<a class="indexterm" name="id331323"></a> -Where the list of possible user names is not provided, Samba makes a UNIX system call to find the user -account that has a password that matches the one provided from the standard account database. On a system that -has no name service switch (NSS) facility, such lookups will be from the <code class="filename">/etc/passwd</code> -database. On NSS enabled systems, the lookup will go to the libraries that have been specified in the -<code class="filename">nsswitch.conf</code> file. The entries in that file in which the libraries are specified are: -</p><pre class="screen"> -passwd: files nis ldap -shadow: files nis ldap -group: files nis ldap -</pre><p> -<a class="indexterm" name="id331349"></a> -<a class="indexterm" name="id331355"></a> -<a class="indexterm" name="id331362"></a> -In the example shown here (not likely to be used in practice) the lookup will check -<code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>, if not found it will check NIS, then -LDAP. -</p><div class="sect3" title="Example Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id331380"></a>Example Configuration</h4></div></div></div><p> -The <code class="filename">smb.conf</code> parameter that sets share-level security is: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id331400"></a><em class="parameter"><code>security = share</code></em></td></tr></table></div></div><div class="sect2" title="Domain Security Mode (User-Level Security)"><div class="titlepage"><div><div><h3 class="title"><a name="id331413"></a>Domain Security Mode (User-Level Security)</h3></div></div></div><p> -<a class="indexterm" name="id331420"></a> -<a class="indexterm" name="id331428"></a> -<a class="indexterm" name="id331437"></a> -<a class="indexterm" name="id331443"></a> -<a class="indexterm" name="id331449"></a> -<a class="indexterm" name="id331456"></a> -Domain security provides a mechanism for storing all user and group accounts in a central, shared, account -repository. The centralized account repository is shared between domain (security) controllers. Servers that -act as domain controllers provide authentication and validation services to all machines that participate in -the security context for the domain. A primary domain controller (PDC) is a server that is responsible for -maintaining the integrity of the security account database. Backup domain controllers (BDCs) provide only domain -logon and authentication services. Usually, BDCs will answer network logon requests more responsively than -will a PDC. -</p><p> -<a class="indexterm" name="id331476"></a> -<a class="indexterm" name="id331483"></a> -<a class="indexterm" name="id331489"></a> -<a class="indexterm" name="id331497"></a> -<a class="indexterm" name="id331506"></a> -When Samba is operating in <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = domain</a> mode, the Samba server has a -domain security trust account (a machine account) and causes all authentication requests to be passed through -to the domain controllers. In other words, this configuration makes the Samba server a domain member server, -even when it is in fact acting as a domain controller. All machines that participate in domain security must -have a machine account in the security database. -</p><p> -<a class="indexterm" name="id331529"></a> -<a class="indexterm" name="id331537"></a> -<a class="indexterm" name="id331546"></a> -<a class="indexterm" name="id331554"></a> -Within the domain security environment, the underlying security architecture uses user-level security. Even -machines that are domain members must authenticate on startup. The machine account consists of an account -entry in the accounts database, the name of which is the NetBIOS name of the machine and of which the password -is randomly generated and known to both the domain controllers and the member machine. If the machine account -cannot be validated during startup, users will not be able to log on to the domain using this machine because -it cannot be trusted. The machine account is referred to as a machine trust account. -</p><p> -There are three possible domain member configurations: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Primary domain controller (PDC) - of which there is one per domain.</p></li><li class="listitem"><p>Backup domain controller (BDC) - of which there can be any number per domain.</p></li><li class="listitem"><p>Domain member server (DMS) - of which there can be any number per domain.</p></li></ol></div><p> -<a class="indexterm" name="id331594"></a> -We will discuss each of these in separate chapters. For now, we are most interested in basic DMS -configuration. -</p><div class="sect3" title="Example Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id331603"></a>Example Configuration</h4></div></div></div><p><span class="emphasis"><em> -Samba as a Domain Member Server -</em></span></p><p> -<a class="indexterm" name="id331614"></a> -This method involves addition of the following parameters in the <code class="filename">smb.conf</code> file: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id331634"></a><em class="parameter"><code>security = domain</code></em></td></tr><tr><td><a class="indexterm" name="id331644"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr></table><p> -</p><p> -In order for this method to work, the Samba server needs to join the MS Windows NT -security domain. This is done as follows: -<a class="indexterm" name="id331659"></a> -<a class="indexterm" name="id331667"></a> -</p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>On the MS Windows NT domain controller, using - the Server Manager, add a machine account for the Samba server. - </p></li><li class="step" title="Step 2"><p>On the UNIX/Linux system execute:</p><pre class="screen"><code class="prompt">root# </code><strong class="userinput"><code>net rpc join -U administrator%password</code></strong></pre></li></ol></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id331712"></a> -Samba-2.2.4 and later Samba 2.2.x series releases can autojoin a Windows NT4-style domain just by executing: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -j <em class="replaceable"><code>DOMAIN_NAME</code></em> -r <em class="replaceable"><code>PDC_NAME</code></em> \ - -U Administrator%<em class="replaceable"><code>password</code></em></code></strong> -</pre><p> -<a class="indexterm" name="id331742"></a> -Samba-3 can do the same by executing: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -U Administrator%<em class="replaceable"><code>password</code></em></code></strong> -</pre><p> -It is not necessary with Samba-3 to specify the <em class="replaceable"><code>DOMAIN_NAME</code></em> or the -<em class="replaceable"><code>PDC_NAME</code></em>, as it figures this out from the <code class="filename">smb.conf</code> file settings. -</p></div><p> -<a class="indexterm" name="id331784"></a> -<a class="indexterm" name="id331790"></a> -<a class="indexterm" name="id331796"></a> -Use of this mode of authentication requires there to be a standard UNIX account for each user in order to -assign a UID once the account has been authenticated by the Windows domain controller. This account can be -blocked to prevent logons by clients other than MS Windows through means such as setting an invalid shell in -the <code class="filename">/etc/passwd</code> entry. The best way to allocate an invalid shell to a user account is to -set the shell to the file <code class="filename">/bin/false</code>. -</p><p> -<a class="indexterm" name="id331820"></a> -<a class="indexterm" name="id331826"></a> -Domain controllers can be located anywhere that is convenient. The best advice is to have a BDC on every -physical network segment, and if the PDC is on a remote network segment the use of WINS (see <a class="link" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a> for more information) is almost essential. -</p><p> -An alternative to assigning UIDs to Windows users on a Samba member server is presented in <a class="link" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind</a>, <a class="link" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>. -</p><p> -For more information regarding domain membership, <a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>. -</p></div></div><div class="sect2" title="ADS Security Mode (User-Level Security)"><div class="titlepage"><div><div><h3 class="title"><a name="id331866"></a>ADS Security Mode (User-Level Security)</h3></div></div></div><p> -<a class="indexterm" name="id331873"></a> -<a class="indexterm" name="id331879"></a> -Both Samba-2.2, and Samba-3 can join an Active Directory domain using NT4 style RPC based security. This is -possible if the domain is run in native mode. Active Directory in native mode perfectly allows NT4-style -domain members. This is contrary to popular belief. -</p><p> -If you are using Active Directory, starting with Samba-3 you can join as a native AD member. Why would you -want to do that? Your security policy might prohibit the use of NT-compatible authentication protocols. All -your machines are running Windows 2000 and above and all use Kerberos. In this case, Samba, as an NT4-style -domain, would still require NT-compatible authentication data. Samba in AD-member mode can accept Kerberos -tickets. -</p><p> -<a class="indexterm" name="id331898"></a> -<a class="indexterm" name="id331905"></a> -Sites that use Microsoft Windows active directory services (ADS) should be aware of the significance of the -terms: <code class="literal">native mode</code> and <code class="literal">mixed mode</code> ADS operation. The term -<code class="literal">realm</code> is used to describe a Kerberos-based security architecture (such as is used by -Microsoft ADS). -</p><div class="sect3" title="Example Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id331930"></a>Example Configuration</h4></div></div></div><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id331941"></a><em class="parameter"><code>realm = your.kerberos.REALM</code></em></td></tr><tr><td><a class="indexterm" name="id331952"></a><em class="parameter"><code>security = ADS</code></em></td></tr></table><p> -The following parameter may be required: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id331971"></a><em class="parameter"><code>password server = your.kerberos.server</code></em></td></tr></table><p> -Please refer to <a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>, and <a class="link" href="domain-member.html#ads-member" title="Samba ADS Domain Membership">Samba -ADS Domain Membership</a> for more information regarding this configuration option. -</p></div></div><div class="sect2" title="Server Security (User Level Security)"><div class="titlepage"><div><div><h3 class="title"><a name="id331998"></a>Server Security (User Level Security)</h3></div></div></div><p> -Server security mode is left over from the time when Samba was not capable of acting -as a domain member server. It is highly recommended not to use this feature. Server -security mode has many drawbacks that include: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Potential account lockout on MS Windows NT4/200x password servers.</p></li><li class="listitem"><p>Lack of assurance that the password server is the one specified.</p></li><li class="listitem"><p>Does not work with Winbind, which is particularly needed when storing profiles remotely.</p></li><li class="listitem"><p>This mode may open connections to the password server and keep them open for extended periods.</p></li><li class="listitem"><p>Security on the Samba server breaks badly when the remote password server suddenly shuts down.</p></li><li class="listitem"><p>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</p></li></ul></div><p> -<a class="indexterm" name="id332045"></a> -<a class="indexterm" name="id332051"></a> -In server security mode the Samba server reports to the client that it is in user-level security. The client -then does a session setup as described earlier. The Samba server takes the username/password that the client -sends and attempts to log into the <a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a> by sending exactly the same -username/password that it got from the client. If that server is in user-level security and accepts the -password, then Samba accepts the client's connection. This parameter allows the Samba server to use another -SMB server as the <a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a>. -</p><p> -<a class="indexterm" name="id332080"></a> -<a class="indexterm" name="id332087"></a> -You should also note that at the start of all this, when the server tells the client -what security level it is in, it also tells the client if it supports encryption. If it -does, it supplies the client with a random cryptkey. The client will then send all -passwords in encrypted form. Samba supports this type of encryption by default. -</p><p> -The parameter <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a> means that Samba reports to clients that -it is running in <span class="emphasis"><em>user mode</em></span> but actually passes off all authentication requests to another -user mode server. This requires an additional parameter <a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a> that points to -the real authentication server. The real authentication server can be another Samba server, or it can be a -Windows NT server, the latter being natively capable of encrypted password support. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id332125"></a> -<a class="indexterm" name="id332131"></a> -When Samba is running in <span class="emphasis"><em>server security mode</em></span>, it is essential that the parameter -<span class="emphasis"><em>password server</em></span> is set to the precise NetBIOS machine name of the target authentication -server. Samba cannot determine this from NetBIOS name lookups because the choice of the target authentication -server is arbitrary and cannot be determined from a domain name. In essence, a Samba server that is in -<span class="emphasis"><em>server security mode</em></span> is operating in what used to be known as workgroup mode. -</p></div><div class="sect3" title="Example Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id332151"></a>Example Configuration</h4></div></div></div><p><span class="emphasis"><em> -Using MS Windows NT as an Authentication Server -</em></span></p><p> -This method involves the additions of the following parameters in the <code class="filename">smb.conf</code> file: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id332176"></a><em class="parameter"><code>encrypt passwords = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id332186"></a><em class="parameter"><code>security = server</code></em></td></tr><tr><td><a class="indexterm" name="id332197"></a><em class="parameter"><code>password server = "NetBIOS_name_of_a_DC"</code></em></td></tr></table><p> -There are two ways of identifying whether or not a username and password pair is valid. -One uses the reply information provided as part of the authentication messaging -process, the other uses just an error code. -</p><p> -<a class="indexterm" name="id332214"></a> -<a class="indexterm" name="id332221"></a> -The downside of this mode of configuration is that for security reasons Samba -will send the password server a bogus username and a bogus password, and if the remote -server fails to reject the bogus username and password pair, then an alternative mode of -identification or validation is used. Where a site uses password lockout, after a -certain number of failed authentication attempts, this will result in user lockouts. -</p><p> -Use of this mode of authentication requires a standard UNIX account for the user. -This account can be blocked to prevent logons by non-SMB/CIFS clients. -</p></div></div></div><div class="sect1" title="Password Checking"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332239"></a>Password Checking</h2></div></div></div><p> -MS Windows clients may use encrypted passwords as part of a challenge/response -authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear-text strings for simple -password-based authentication. It should be realized that with the SMB protocol, -the password is passed over the network either in plaintext or encrypted, but -not both in the same authentication request. -</p><p> -<a class="indexterm" name="id332253"></a> -<a class="indexterm" name="id332260"></a> -When encrypted passwords are used, a password that has been entered by the user -is encrypted in two ways: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>An MD4 hash of the unicode of the password - string. This is known as the NT hash. - </p></li><li class="listitem"><p>The password is converted to uppercase, - and then padded or truncated to 14 bytes. This string is - then appended with 5 bytes of NULL characters and split to - form two 56-bit DES keys to encrypt a "magic" 8-byte value. - The resulting 16 bytes form the LanMan hash. - </p></li></ul></div><p> -<a class="indexterm" name="id332285"></a> -MS Windows 95 pre-service pack 1 and MS Windows NT versions 3.x and version 4.0 pre-service pack 3 will use -either mode of password authentication. All versions of MS Windows that follow these versions no longer -support plain-text passwords by default. -</p><p> -<a class="indexterm" name="id332299"></a> -MS Windows clients have a habit of dropping network mappings that have been idle -for 10 minutes or longer. When the user attempts to use the mapped drive -connection that has been dropped, the client re-establishes the connection using -a cached copy of the password. -</p><p> -When Microsoft changed the default password mode, support was dropped for caching -of the plaintext password. This means that when the registry parameter is changed -to re-enable use of plaintext passwords, it appears to work, but when a dropped -service connection mapping attempts to revalidate, this will fail if the remote -authentication server does not support encrypted passwords. It is definitely not -a good idea to re-enable plaintext password support in such clients. -</p><p> -The following parameters can be used to work around the issue of Windows 9x/Me clients -uppercasing usernames and passwords before transmitting them to the SMB server -when using clear-text authentication: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id332331"></a></td></tr><tr><td><a class="indexterm" name="id332337"></a></td></tr></table><p> -By default Samba will convert to lowercase the username before attempting to lookup the user -in the database of local system accounts. Because UNIX usernames conventionally -only contain lowercase characters, the <a class="link" href="smb.conf.5.html#USERNAME-LEVEL" target="_top">username-level</a> parameter -is rarely needed. -</p><p> -<a class="indexterm" name="id332358"></a> -However, passwords on UNIX systems often make use of mixed-case characters. This means that in order for a -user on a Windows 9x/Me client to connect to a Samba server using clear-text authentication, the -<a class="link" href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> must be set to the maximum number of uppercase letters that -<span class="emphasis"><em>could</em></span> appear in a password. Note that if the Server OS uses the traditional DES version -of crypt(), a <a class="link" href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> of 8 will result in case-insensitive passwords as seen -from Windows users. This will also result in longer login times because Samba has to compute the permutations -of the password string and try them one by one until a match is located (or all combinations fail). -</p><p> -The best option to adopt is to enable support for encrypted passwords wherever -Samba is used. Most attempts to apply the registry change to re-enable plaintext -passwords will eventually lead to user complaints and unhappiness. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332395"></a>Common Errors</h2></div></div></div><p> -We all make mistakes. It is okay to make mistakes, as long as they are made in the right places -and at the right time. A mistake that causes lost productivity is seldom tolerated; however, a mistake -made in a developmental test lab is expected. -</p><p> -Here we look at common mistakes and misapprehensions that have been the subject of discussions -on the Samba mailing lists. Many of these are avoidable by doing your homework before attempting -a Samba implementation. Some are the result of a misunderstanding of the English language, -which has many phrases that are potentially vague and may be highly confusing -to those for whom English is not their native tongue. -</p><div class="sect2" title="What Makes Samba a Server?"><div class="titlepage"><div><div><h3 class="title"><a name="id332416"></a>What Makes Samba a Server?</h3></div></div></div><p> -To some, the nature of the Samba security mode is obvious, but entirely -wrong all the same. It is assumed that <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a> means that Samba -will act as a server. Not so! This setting means that Samba will <span class="emphasis"><em>try</em></span> -to use another SMB server as its source for user authentication alone. -</p><p> -Samba is a server regardless of which security mode is chosen. When Samba is used outside of a domain security -context, it is best to leave the security mode at the default setting. By default Samba-3 uses user-mode -security. -</p></div><div class="sect2" title="What Makes Samba a Domain Controller?"><div class="titlepage"><div><div><h3 class="title"><a name="id332443"></a>What Makes Samba a Domain Controller?</h3></div></div></div><p> -<a class="indexterm" name="id332450"></a> -The <code class="filename">smb.conf</code> parameter <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = domain</a> does not really make Samba behave -as a domain controller. This setting means we want Samba to be a domain member. See <a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Samba as a PDC</a> for more information. -</p></div><div class="sect2" title="What Makes Samba a Domain Member?"><div class="titlepage"><div><div><h3 class="title"><a name="id332478"></a>What Makes Samba a Domain Member?</h3></div></div></div><p> -Guess! So many others do. But whatever you do, do not think that <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a> -makes Samba act as a domain member. Read the manufacturer's manual before the warranty expires. See -<a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>, for more information. -</p></div><div class="sect2" title="Constantly Losing Connections to Password Server"><div class="titlepage"><div><div><h3 class="title"><a name="id332502"></a>Constantly Losing Connections to Password Server</h3></div></div></div><p><span class="quote">“<span class="quote"> -Why does server_validate() simply give up rather than re-establish its connection to the -password server? Though I am not fluent in the SMB protocol, perhaps the cluster server -process passes along to its client workstation the session key it receives from the password -server, which means the password hashes submitted by the client would not work on a subsequent -connection whose session key would be different. So server_validate() must give up. -</span>”</span></p><p> -Indeed. That's why <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a> -is at best a nasty hack. Please use <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = domain</a>; -<a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a> mode is also known as pass-through authentication. -</p></div><div class="sect2" title="Stand-alone Server is converted to Domain Controller Now User accounts don't work"><div class="titlepage"><div><div><h3 class="title"><a name="id332541"></a>Stand-alone Server is converted to Domain Controller Now User accounts don't work</h3></div></div></div><p><span class="quote">“<span class="quote"> -When I try to log in to the DOMAIN, the eventlog shows <span class="emphasis"><em>tried credentials DOMAIN/username; effective -credentials SERVER/username</em></span> -</span>”</span></p><p> -Usually this is due to a user or machine account being created before the Samba server is configured to be a -domain controller. Accounts created before the server becomes a domain controller will be -<span class="emphasis"><em>local</em></span> accounts and authenticated as what looks like a member in the SERVER domain, much -like local user accounts in Windows 2000 and later. Accounts created after the Samba server becomes a domain -controller will be <span class="emphasis"><em>domain</em></span> accounts and will be authenticated as a member of the DOMAIN -domain. -</p><p> -This can be verified by issuing the command <code class="literal">pdbedit -L -v username</code>. If this reports DOMAIN -then the account is a domain account, if it reports SERVER then the account is a local account. -</p><p> -The easiest way to resolve this is to remove and recreate the account; however this may cause problems with -established user profiles. You can also use <code class="literal">pdbedit -u username -I DOMAIN</code>. You may also -need to change the User SID and Primary Group SID to match the domain. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Server Configuration Basics </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. Domain Control</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/StandAloneServer.html b/docs/htmldocs/Samba3-HOWTO/StandAloneServer.html deleted file mode 100644 index 264567d7f4..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/StandAloneServer.html +++ /dev/null @@ -1,201 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Standalone Servers</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="domain-member.html" title="Chapter 6. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 8. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Standalone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 7. Standalone Servers"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 7. Standalone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="StandAloneServer.html#id344722">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id344808">Background</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id344984">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></span></dt><dt><span class="sect2"><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></span></dt></dl></dd><dt><span class="sect1"><a href="StandAloneServer.html#id345921">Common Errors</a></span></dt></dl></div><p> -<a class="indexterm" name="id344698"></a> -<a class="indexterm" name="id344704"></a> -<a class="indexterm" name="id344711"></a> -Standalone servers are independent of domain controllers on the network. -They are not domain members and function more like workgroup servers. In many -cases a standalone server is configured with a minimum of security control -with the intent that all data served will be readily accessible to all users. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344722"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id344730"></a> -<a class="indexterm" name="id344736"></a> -Standalone servers can be as secure or as insecure as needs dictate. They can -have simple or complex configurations. Above all, despite the hoopla about -domain security, they remain a common installation. -</p><p> -<a class="indexterm" name="id344748"></a> -<a class="indexterm" name="id344755"></a> -<a class="indexterm" name="id344762"></a> -<a class="indexterm" name="id344769"></a> -If all that is needed is a server for read-only files, or for -printers alone, it may not make sense to effect a complex installation. -For example, a drafting office needs to store old drawings and reference -standards. Nobody can write files to the server because it is legislatively -important that all documents remain unaltered. A share-mode read-only standalone -server is an ideal solution. -</p><p> -<a class="indexterm" name="id344782"></a> -<a class="indexterm" name="id344789"></a> -<a class="indexterm" name="id344796"></a> -Another situation that warrants simplicity is an office that has many printers -that are queued off a single central server. Everyone needs to be able to print -to the printers, there is no need to effect any access controls, and no files will -be served from the print server. Again, a share-mode standalone server makes -a great solution. -</p></div><div class="sect1" title="Background"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344808"></a>Background</h2></div></div></div><p> -<a class="indexterm" name="id344815"></a> -<a class="indexterm" name="id344822"></a> -<a class="indexterm" name="id344829"></a> -The term <span class="emphasis"><em>standalone server</em></span> means that it will provide local authentication and access -control for all resources that are available from it. In general this means that there will be a local user -database. In more technical terms, it means resources on the machine will be made available in either -<span class="emphasis"><em>share</em></span> mode or in <span class="emphasis"><em>user</em></span> mode. -</p><p> -<a class="indexterm" name="id344853"></a> -<a class="indexterm" name="id344859"></a> -<a class="indexterm" name="id344866"></a> -No special action is needed other than to create user accounts. Standalone -servers do not provide network logon services. This means that machines that -use this server do not perform a domain logon to it. Whatever logon facility -the workstations are subject to is independent of this machine. It is, however, -necessary to accommodate any network user so the logon name he or she uses will -be translated (mapped) locally on the standalone server to a locally known -user name. There are several ways this can be done. -</p><p> -<a class="indexterm" name="id344881"></a> -<a class="indexterm" name="id344888"></a> -<a class="indexterm" name="id344894"></a> -Samba tends to blur the distinction a little in defining -a standalone server. This is because the authentication database may be -local or on a remote server, even if from the SMB protocol perspective -the Samba server is not a member of a domain security context. -</p><p> -<a class="indexterm" name="id344907"></a> -<a class="indexterm" name="id344913"></a> -<a class="indexterm" name="id344920"></a> -<a class="indexterm" name="id344926"></a> -<a class="indexterm" name="id344933"></a> -<a class="indexterm" name="id344940"></a> -<a class="indexterm" name="id344947"></a> -<a class="indexterm" name="id344953"></a> -Through the use of Pluggable Authentication Modules (PAM) (see <a class="link" href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication">the chapter on PAM</a>) -and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may -reside on another server. We would be inclined to call this the authentication server. This means that the -Samba server may use the local UNIX/Linux system password database (<code class="filename">/etc/passwd</code> or -<code class="filename">/etc/shadow</code>), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM -and Winbind another CIFS/SMB server for authentication. -</p></div><div class="sect1" title="Example Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344984"></a>Example Configuration</h2></div></div></div><p> -<a class="indexterm" name="id344992"></a> -<a class="indexterm" name="id344999"></a> -<a class="link" href="StandAloneServer.html#simplynice" title="Example 7.1. smb.conf for Reference Documentation Server">The example Reference Documentation Server</a> and <a class="link" href="StandAloneServer.html#SimplePrintServer" title="Central Print Serving">Central Print Serving</a> are designed to inspire simplicity. It is too easy to -attempt a high level of creativity and to introduce too much complexity in server and network design. -</p><div class="sect2" title="Reference Documentation Server"><div class="titlepage"><div><div><h3 class="title"><a name="RefDocServer"></a>Reference Documentation Server</h3></div></div></div><p> -<a class="indexterm" name="id345034"></a> -<a class="indexterm" name="id345040"></a> -<a class="indexterm" name="id345047"></a> -<a class="indexterm" name="id345054"></a> -Configuration of a read-only data server that everyone can access is very simple. By default, all shares are -read-only, unless set otherwise in the <code class="filename">smb.conf</code> file. <a class="link" href="StandAloneServer.html#simplynice" title="Example 7.1. smb.conf for Reference Documentation Server">The example - Reference -Documentation Server</a> is the <code class="filename">smb.conf</code> file that will do this. Assume that all the reference documents -are stored in the directory <code class="filename">/export</code>, and the documents are owned by a user other than -nobody. No home directories are shared, and there are no users in the <code class="filename">/etc/passwd</code> UNIX -system database. This is a simple system to administer. -</p><div class="example"><a name="simplynice"></a><p class="title"><b>Example 7.1. smb.conf for Reference Documentation Server</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id345123"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id345135"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id345146"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td><a class="indexterm" name="id345158"></a><em class="parameter"><code>passdb backend = guest</code></em></td></tr><tr><td><a class="indexterm" name="id345169"></a><em class="parameter"><code>wins server = 192.168.1.1</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id345190"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id345201"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id345212"></a><em class="parameter"><code>guest only = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> -I would have spoken more briefly, if I'd had more time to prepare. -</p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Mark Twain</span></td></tr></table></div><p> -<a class="indexterm" name="id345238"></a> -<a class="indexterm" name="id345244"></a> -<a class="indexterm" name="id345251"></a> -<a class="indexterm" name="id345258"></a> -In <a class="link" href="StandAloneServer.html#simplynice" title="Example 7.1. smb.conf for Reference Documentation Server">this example</a>, the machine name is set to GANDALF, and the -workgroup is set to the name of the local workgroup (MIDEARTH) so the machine will appear together -with systems with which users are familiar. The only password backend required is the <span class="quote">“<span class="quote">guest</span>”</span> -backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we -of course make use of it. -</p><p> -A US Air Force Colonel was renowned for saying: <span class="quote">“<span class="quote">Better is the enemy of good enough!</span>”</span> There are often -sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately, -many network administrators still need to learn the art of doing just enough to keep out of trouble. -</p></div><div class="sect2" title="Central Print Serving"><div class="titlepage"><div><div><h3 class="title"><a name="SimplePrintServer"></a>Central Print Serving</h3></div></div></div><p> -<a class="indexterm" name="id345301"></a> -<a class="indexterm" name="id345308"></a> -Configuration of a simple print server is easy if you have all the right tools on your system. -</p><div class="orderedlist" title="Assumptions"><p class="title"><b> Assumptions</b></p><ol class="orderedlist" type="1"><li class="listitem"><p> - The print server must require no administration. - </p></li><li class="listitem"><p> - The print spooling and processing system on our print server will be CUPS. - (Please refer to <a class="link" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>, for more information). - </p></li><li class="listitem"><p> - The print server will service only network printers. The network administrator - will correctly configure the CUPS environment to support the printers. - </p></li><li class="listitem"><p> - All workstations will use only PostScript drivers. The printer driver - of choice is the one shipped with the Windows OS for the Apple Color LaserWriter. - </p></li></ol></div><p> -<a class="indexterm" name="id345358"></a> -<a class="indexterm" name="id345365"></a> -<a class="indexterm" name="id345372"></a> -In this example our print server will spool all incoming print jobs to -<code class="filename">/var/spool/samba</code> until the job is ready to be submitted by -Samba to the CUPS print processor. Since all incoming connections will be as -the anonymous (guest) user, two things will be required to enable anonymous printing. -</p><div class="itemizedlist" title="Enabling Anonymous Printing"><p class="title"><b>Enabling Anonymous Printing</b></p><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id345397"></a> -<a class="indexterm" name="id345404"></a> -<a class="indexterm" name="id345411"></a> - The UNIX/Linux system must have a <code class="literal">guest</code> account. - The default for this is usually the account <code class="literal">nobody</code>. - To find the correct name to use for your version of Samba, do the - following: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>testparm -s -v | grep "guest account"</code></strong> -</pre><p> -<a class="indexterm" name="id345447"></a> - Make sure that this account exists in your system password - database (<code class="filename">/etc/passwd</code>). - </p><p> -<a class="indexterm" name="id345463"></a> -<a class="indexterm" name="id345470"></a> -<a class="indexterm" name="id345477"></a> - It is a good idea either to set a password on this account, or else to lock it - from UNIX use. Assuming that the guest account is called <code class="literal">pcguest</code>, - it can be locked by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> passwd -l pcguest -</pre><p> - The exact command may vary depending on your UNIX/Linux distribution. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id345508"></a> -<a class="indexterm" name="id345515"></a> -<a class="indexterm" name="id345521"></a> -<a class="indexterm" name="id345528"></a> -<a class="indexterm" name="id345535"></a> -<a class="indexterm" name="id345542"></a> - The directory into which Samba will spool the file must have write - access for the guest account. The following commands will ensure that - this directory is available for use: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>mkdir /var/spool/samba</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chown nobody.nobody /var/spool/samba</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chmod a+rwt /var/spool/samba</code></strong> -</pre><p> - </p></li></ul></div><p> -The contents of the <code class="filename">smb.conf</code> file is shown in <a class="link" href="StandAloneServer.html#AnonPtrSvr" title="Example 7.2. smb.conf for Anonymous Printing">the Anonymous Printing example</a>. -</p><div class="example"><a name="AnonPtrSvr"></a><p class="title"><b>Example 7.2. <code class="filename">smb.conf</code> for Anonymous Printing</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id345638"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id345649"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id345661"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td><a class="indexterm" name="id345672"></a><em class="parameter"><code>passdb backend = guest</code></em></td></tr><tr><td><a class="indexterm" name="id345684"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id345695"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id345715"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id345727"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id345738"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id345750"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345761"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345773"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id345784"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id345800"></a> -<a class="indexterm" name="id345809"></a> -<a class="indexterm" name="id345816"></a> -<a class="indexterm" name="id345822"></a> -<a class="indexterm" name="id345829"></a> -On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate -processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to -configure a raw printing device. It is also necessary to enable the raw mime handler in the -<code class="filename">/etc/mime.conv</code> and <code class="filename">/etc/mime.types</code> files. Refer to <a class="link" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>, <a class="link" href="CUPS-printing.html#cups-raw" title="Explicitly Enable “raw” Printing for application/octet-stream">Explicitly Enable raw Printing -for application/octet-stream</a>. -</p></div><p> -<a class="indexterm" name="id345868"></a> -<a class="indexterm" name="id345874"></a> -<a class="indexterm" name="id345881"></a> -<a class="indexterm" name="id345888"></a> -The example in <a class="link" href="StandAloneServer.html#AnonPtrSvr" title="Example 7.2. smb.conf for Anonymous Printing">the Anonymous Printing example</a> uses CUPS for direct printing -via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to -configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special -type of printer (for example, a PDF filter) the <em class="parameter"><code>printcap name = cups</code></em> can be replaced -with the entry <em class="parameter"><code>printcap name = /etc/samba/myprintcap</code></em>. In this case the file specified -should contain a list of the printer names that should be exposed to Windows network users. -</p></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id345921"></a>Common Errors</h2></div></div></div><p> -<a class="indexterm" name="id345929"></a> -<a class="indexterm" name="id345935"></a> -The greatest mistake so often made is to make a network configuration too complex. -It pays to use the simplest solution that will meet the needs of the moment. -</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 6. Domain Membership </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. MS Windows Network Configuration Guide</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/TOSHpreface.html b/docs/htmldocs/Samba3-HOWTO/TOSHpreface.html deleted file mode 100644 index 37c221ac9c..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/TOSHpreface.html +++ /dev/null @@ -1,50 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Preface</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="pr03.html" title="Foreword"><link rel="next" href="IntroSMB.html" title="Introduction"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Preface</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr></table><hr></div><div class="preface" title="Preface"><div class="titlepage"><div><div><h2 class="title"><a name="TOSHpreface"></a>Preface</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="TOSHpreface.html#id323668">Conventions Used</a></span></dt></dl></div><p> -The editors wish to thank you for your decision to purchase this book. -The Official Samba-3 HOWTO and Reference Guide is the result of many years -of accumulation of information, feedback, tips, hints, and happy solutions. -</p><p> -Please note that this book is a living document, the contents of which are -constantly being updated. We encourage you to contribute your tips, techniques, -helpful hints, and your special insight into the Windows networking world to -help make the next generation of this book even more valuable to Samba users. -</p><p> -We have made a concerted effort to document more comprehensively than has been -done previously the information that may help you to better deploy Samba and to -gain more contented network users. -</p><p> -This book provides example configurations, it documents key aspects of Microsoft -Windows networking, provides in-depth insight into the important configuration of -Samba-3, and helps to put all of these into a useful framework. -</p><p> -The most recent electronic versions of this document can be found at -<a class="ulink" href="http://www.samba.org/" target="_top">http://www.samba.org/</a> -on the <span class="quote">“<span class="quote">Documentation</span>”</span> page. -</p><p> -Updates, patches and corrections are most welcome. Please email your contributions -to any one of the following: -</p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="ulink" href="mailto:jelmer@samba.org" target="_top">Jelmer Vernooij (jelmer@samba.org)</a></td></tr><tr><td><a class="ulink" href="mailto:jht@samba.org" target="_top">John H. Terpstra (jht@samba.org)</a></td></tr><tr><td><a class="ulink" href="mailto:jerry@samba.org" target="_top">Gerald (Jerry) Carter (jerry@samba.org)</a></td></tr></table><p> -</p><p> -We wish to advise that only original and unencumbered material can be published. Please do not submit -content that is not your own work unless proof of consent from the copyright holder accompanies your -submission. -</p><div class="sect1" title="Conventions Used"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323668"></a>Conventions Used</h2></div></div></div><p> - The following notation conventions are used throughout this book: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - TOSHARG2 is used as an abbreviation for the book, <span class="quote">“<span class="quote">The Official Samba-3 - HOWTO and Reference Guide, Second Edition</span>”</span> Editors: John H. Terpstra and Jelmer R. Vernooij, - Publisher: Prentice Hall, ISBN: 0131882228. - </p></li><li class="listitem"><p> - S3bE2 is used as an abbreviation for the book, <span class="quote">“<span class="quote">Samba-3 by Example, Second Edition</span>”</span> - Editors: John H. Terpstra, Publisher: Prentice Hall, ISBN: 013188221X. - </p></li><li class="listitem"><p> - Directories and filenames appear in mono-font. For example, - <code class="filename">/etc/pam.conf</code>. - </p></li><li class="listitem"><p> - Executable names are bolded. For example, <code class="literal">smbd</code>. - </p></li><li class="listitem"><p> - Menu items and buttons appear in bold. For example, click <span class="guibutton">Next</span>. - </p></li><li class="listitem"><p> - Selecting a menu item is indicated as: - <span class="guimenu">Start</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Active Directory Users and Computers</span> - </p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr03.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Foreword </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Introduction</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/VFS.html b/docs/htmldocs/Samba3-HOWTO/VFS.html deleted file mode 100644 index 73cd463500..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/VFS.html +++ /dev/null @@ -1,531 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. Stackable VFS modules</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support"><link rel="next" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 23. Stackable VFS modules"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 23. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tpot@samba.org">tpot@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Ed</span> <span class="surname">Riddle</span></h3><span class="contrib">original shadow_copy docs</span> </div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="VFS.html#id414711">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="VFS.html#id414746">Discussion</a></span></dt><dt><span class="sect1"><a href="VFS.html#id415127">Included Modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id415132">audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415172">default_quota</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415364">extd_audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#fakeperms">fake_perms</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415677">recycle</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416047">netatalk</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416094">shadow_copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="VFS.html#id416927">VFS Modules Available Elsewhere</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id416949">DatabaseFS</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417002">vscan</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417038">vscan-clamav</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414711"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id414719"></a> -<a class="indexterm" name="id414728"></a> -<a class="indexterm" name="id414734"></a> -Stackable VFS (Virtual File System) modules support was new to Samba-3 and has proven quite popular. Samba -passes each request to access the UNIX file system through the loaded VFS modules. This chapter covers the -modules that come with the Samba source and provides references to some external modules. -</p></div><div class="sect1" title="Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414746"></a>Discussion</h2></div></div></div><p> -<a class="indexterm" name="id414754"></a> -<a class="indexterm" name="id414760"></a> -If not supplied with your platform distribution binary Samba package, you may have problems compiling these -modules, as shared libraries are compiled and linked in different ways on different systems. They currently -have been tested against GNU/Linux and IRIX. -</p><p> -<a class="indexterm" name="id414773"></a> -<a class="indexterm" name="id414780"></a> -<a class="indexterm" name="id414786"></a> -To use the VFS modules, create a share similar to the one below. The important parameter is the <a class="link" href="smb.conf.5.html#VFSOBJECTS" target="_top">vfs objects</a> parameter where you can list one or more VFS modules by name. For example, to log all -access to files and put deleted files in a recycle bin, see <a class="link" href="VFS.html#vfsrecyc" title="Example 23.1. smb.conf with VFS modules">the smb.conf with VFS -modules example</a>: -</p><div class="example"><a name="vfsrecyc"></a><p class="title"><b>Example 23.1. smb.conf with VFS modules</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[audit]</code></em></td></tr><tr><td><a class="indexterm" name="id414840"></a><em class="parameter"><code>comment = Audited /data directory</code></em></td></tr><tr><td><a class="indexterm" name="id414851"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id414863"></a><em class="parameter"><code>vfs objects = audit recycle</code></em></td></tr><tr><td><a class="indexterm" name="id414874"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id414886"></a><em class="parameter"><code>browseable = yes</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id414900"></a> -<a class="indexterm" name="id414907"></a> -<a class="indexterm" name="id414914"></a> -The modules are used in the order in which they are specified. Let's say that you want to both have a virus -scanner module and a recycle bin module. It is wise to put the virus scanner module as the first one so that -it is the first to get run and may detect a virus immediately, before any action is performed on that file. -<a class="link" href="smb.conf.5.html#VFSOBJECTS" target="_top">vfs objects = vscan-clamav recycle</a> -</p><p> -<a class="indexterm" name="id414938"></a> -<a class="indexterm" name="id414944"></a> -Samba will attempt to load modules from the <code class="filename">/lib</code> directory in the root directory of the -Samba installation (usually <code class="filename">/usr/lib/samba/vfs</code> or -<code class="filename">/usr/local/samba/lib/vfs</code>). -</p><p> -<a class="indexterm" name="id414973"></a> -<a class="indexterm" name="id414980"></a> -<a class="indexterm" name="id414986"></a> -<a class="indexterm" name="id414993"></a> -Some modules can be used twice for the same share. This can be done using a configuration similar to the one -shown in <a class="link" href="VFS.html#multimodule" title="Example 23.2. smb.conf with multiple VFS modules">the smb.conf with multiple VFS modules</a>. - -</p><div class="example"><a name="multimodule"></a><p class="title"><b>Example 23.2. smb.conf with multiple VFS modules</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[test]</code></em></td></tr><tr><td><a class="indexterm" name="id415032"></a><em class="parameter"><code>comment = VFS TEST</code></em></td></tr><tr><td><a class="indexterm" name="id415043"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id415055"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id415066"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id415078"></a><em class="parameter"><code>vfs objects = example:example1 example example:test</code></em></td></tr><tr><td><a class="indexterm" name="id415089"></a><em class="parameter"><code>example1: parameter = 1</code></em></td></tr><tr><td><a class="indexterm" name="id415101"></a><em class="parameter"><code>example: parameter = 5</code></em></td></tr><tr><td><a class="indexterm" name="id415112"></a><em class="parameter"><code>test: parameter = 7</code></em></td></tr></table></div></div><p><br class="example-break"> -</p></div><div class="sect1" title="Included Modules"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id415127"></a>Included Modules</h2></div></div></div><div class="sect2" title="audit"><div class="titlepage"><div><div><h3 class="title"><a name="id415132"></a>audit</h3></div></div></div><p> -<a class="indexterm" name="id415140"></a> - A simple module to audit file access to the syslog facility. The following operations are logged: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>share</p></li><li class="listitem"><p>connect/disconnect</p></li><li class="listitem"><p>directory opens/create/remove</p></li><li class="listitem"><p>file open/close/rename/unlink/chmod</p></li></ul></div><p> - </p></div><div class="sect2" title="default_quota"><div class="titlepage"><div><div><h3 class="title"><a name="id415172"></a>default_quota</h3></div></div></div><p> - This module allows the default quota values, in the windows explorer GUI, to be stored on a Samba-3 server. - The challenge is that linux filesystems only store quotas for users and groups, but no default quotas. - </p><p> - Samba returns NO_LIMIT as the default quotas by default and refuses to update them. With this module you - can store the default quotas that are reported to a windows client, in the quota record of a user. By - default the root user is taken because quota limits for root are typically not enforced. - </p><p> - This module takes 2 parametric entries in the <code class="filename">smb.conf</code> file. The default prefix for each is the - <span class="quote">“<span class="quote">default_quota</span>”</span>. This can be overwrittem when you load the module in the <span class="emphasis"><em>vfs - modules</em></span> parameter like this: -</p><pre class="screen"> -vfs objects = default_quota:myprefix -</pre><p> - </p><p> - The parametric entries that may be specified for the default_quotas module are: - </p><div class="variablelist"><dl><dt><span class="term">myprefix:uid</span></dt><dd><p> - This parameter takes a integer argument that specifies the uid of the quota record that will be - used for storing the default user quotas. - </p><p> - The default value is 0 (for root user). An example of use is: -</p><pre class="screen"> -vfs objects = default_quota -default_quota: uid = 65534 -</pre><p> - The above demonstrates the case where the <code class="constant">myprefix</code> was omitted, thus the - default prefix is the name of the module. When a <code class="constant">myprefix</code> parameter is - specified the above can be re-written like this: -</p><pre class="screen"> -vfs objects = default_quota:myprefix -myprefix: uid = 65534 -</pre><p> - </p></dd><dt><span class="term">myprefix:uid nolimit</span></dt><dd><p> - This parameter takes a boolean argument that specifies if the stored default quota values also be - reported for the user record, or if the value <code class="constant">NO_LIMIT</code> should be reported to - the windows client for the user specified by the <em class="parameter"><code>prefix:uid</code></em> parameter. - </p><p> - The default value is <code class="constant">yes</code> (which means to report NO_LIMIT). An example of use - is shown here: -</p><pre class="screen"> -vfs objects = default_quota:myprefix -myprefix: uid nolimit = no -</pre><p> - </p></dd><dt><span class="term">myprefix:gid</span></dt><dd><p> - This parameter takes an integer argument, it's just like the <em class="parameter"><code>prefix>:uid</code></em> but - for group quotas. NOTE: group quotas are not supported from the windows explorer. - </p><p> - The default value is 0 (for root group). An example of use is shown here: -</p><pre class="screen"> -vfs objects = default_quota -default_quota: gid = 65534 -</pre><p> - </p></dd><dt><span class="term">myprefix:gid nolimit</span></dt><dd><p> - This parameter takes a boolean argument, just like the <em class="parameter"><code>prefix>:uid nolimit</code></em> - but for group quotas. NOTE: group quotas are not supported from the windows explorer. - </p><p> - The default value is <code class="constant">yes</code> (which means to report NO_LIMIT). An example of use - is shown here: -</p><pre class="screen"> -vfs objects = default_quota -default_quota: uid nolimit = no -</pre><p> - </p></dd></dl></div><p> - An example of use of multiple parametric specifications is shown here: -</p><pre class="screen"> -... -vfs objects = default_quota:quotasettings -quotasettings: uid nolimit = no -quotasettings: gid = 65534 -quotasettings: gid nolimit = no -... -</pre><p> - </p></div><div class="sect2" title="extd_audit"><div class="titlepage"><div><div><h3 class="title"><a name="id415364"></a>extd_audit</h3></div></div></div><p> -<a class="indexterm" name="id415372"></a> -<a class="indexterm" name="id415379"></a> -<a class="indexterm" name="id415386"></a> - This module is identical with the <code class="literal">audit</code> module above except - that it sends audit logs to both syslog as well as the <code class="literal">smbd</code> log files. The - <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> for this module is set in the <code class="filename">smb.conf</code> file. - </p><p> - Valid settings and the information that will be recorded are shown in <a class="link" href="VFS.html#xtdaudit" title="Table 23.1. Extended Auditing Log Information">the next table</a>. - </p><div class="table"><a name="xtdaudit"></a><p class="title"><b>Table 23.1. Extended Auditing Log Information</b></p><div class="table-contents"><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Make Directory, Remove Directory, Unlink</td></tr><tr><td align="center">1</td><td align="left">Open Directory, Rename File, Change Permissions/ACLs</td></tr><tr><td align="center">2</td><td align="left">Open & Close File</td></tr><tr><td align="center">10</td><td align="left">Maximum Debug Level</td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" title="Configuration of Auditing"><div class="titlepage"><div><div><h4 class="title"><a name="id415517"></a>Configuration of Auditing</h4></div></div></div><p> -<a class="indexterm" name="id415524"></a> - This auditing tool is more flexible than most people will readily recognize. There are a number of ways - by which useful logging information can be recorded. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Syslog can be used to record all transaction. This can be disabled by setting - in the <code class="filename">smb.conf</code> file <em class="parameter"><code>syslog = 0</code></em>.</p></li><li class="listitem"><p>Logging can take place to the default log file (<code class="filename">log.smbd</code>) - for all loaded VFS modules just by setting in the <code class="filename">smb.conf</code> file - <em class="parameter"><code>log level = 0 vfs:x</code></em>, where x is the log level. - This will disable general logging while activating all logging of VFS - module activity at the log level specified.</p></li><li class="listitem"><p>Detailed logging can be obtained per user, per client machine, etc. - This requires the above together with the creative use of the - <em class="parameter"><code>log file</code></em> settings.</p><p>An example of detailed per-user and per-machine logging can - be obtained by setting - <a class="link" href="smb.conf.5.html#LOGFILE" target="_top">log file = /var/log/samba/%U.%m.log</a>. - </p></li></ul></div><p> - Auditing information often must be preserved for a long time. So that the log files do not get rotated - it is essential that the <a class="link" href="smb.conf.5.html#MAXLOGSIZE" target="_top">max log size = 0</a> be set - in the <code class="filename">smb.conf</code> file. - </p></div></div><div class="sect2" title="fake_perms"><div class="titlepage"><div><div><h3 class="title"><a name="fakeperms"></a>fake_perms</h3></div></div></div><p> -<a class="indexterm" name="id415641"></a> -<a class="indexterm" name="id415648"></a> -<a class="indexterm" name="id415654"></a> -<a class="indexterm" name="id415661"></a> - This module was created to allow Roaming Profile files and directories to be set (on the Samba server - under UNIX) as read only. This module will, if installed on the Profiles share, report to the client - that the Profile files and directories are writeable. This satisfies the client even though the files - will never be overwritten as the client logs out or shuts down. - </p></div><div class="sect2" title="recycle"><div class="titlepage"><div><div><h3 class="title"><a name="id415677"></a>recycle</h3></div></div></div><p> -<a class="indexterm" name="id415684"></a> -<a class="indexterm" name="id415691"></a> -<a class="indexterm" name="id415698"></a> - A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved - to the recycle directory instead of being deleted. This gives the same effect as the - <span class="guiicon">Recycle Bin</span> on Windows computers. - </p><p> -<a class="indexterm" name="id415716"></a> -<a class="indexterm" name="id415722"></a> -<a class="indexterm" name="id415729"></a> -<a class="indexterm" name="id415736"></a> - The <span class="guiicon">Recycle Bin</span> will not appear in - <span class="application">Windows Explorer</span> views of the network - file system (share) nor on any mapped drive. Instead, a directory - called <code class="filename">.recycle</code> will be automatically created - when the first file is deleted and <em class="parameter"><code>recycle:repository</code></em> - is not configured. - If <em class="parameter"><code>recycle:repository</code></em> is configured, the name - of the created directory depends on <em class="parameter"><code>recycle:repository</code></em>. - Users can recover files from the recycle bin. If the - <em class="parameter"><code>recycle:keeptree</code></em> has been specified, deleted - files will be found in a path identical with that from which the - file was deleted. - </p><p>Supported options for the <code class="literal">recycle</code> module are as follow: - </p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p> -<a class="indexterm" name="id415809"></a> - Path of the directory where deleted files should be moved. - </p></dd><dt><span class="term">recycle:directory_mode</span></dt><dd><p> -<a class="indexterm" name="id415827"></a> - Set it to the octal mode you want for the recycle directory. With - this mode the recycle directory will be created if it not - exists and the first file is deleted. - If <em class="parameter"><code>recycle:subdir_mode</code></em> is not set, these - mode also apply to sub directories. - If <em class="parameter"><code>directory_mode</code></em> not exists, the default - mode 0700 is used. - </p></dd><dt><span class="term">recycle:subdir_mode</span></dt><dd><p> -<a class="indexterm" name="id415859"></a> - Set it to the octal mode you want for the sub directories of - the recycle directory. With this mode the sub directories will - be created. - If <em class="parameter"><code>recycle:subdir_mode</code></em> is not set, the - sub directories will be created with the mode from - <em class="parameter"><code>directory_mode</code></em>. - </p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p> -<a class="indexterm" name="id415890"></a> - Specifies whether the directory structure should be kept or if the files in the directory that is being - deleted should be kept separately in the recycle bin. - </p></dd><dt><span class="term">recycle:versions</span></dt><dd><p> -<a class="indexterm" name="id415910"></a> - If this option is set, two files - with the same name that are deleted will both - be kept in the recycle bin. Newer deleted versions - of a file will be called <span class="quote">“<span class="quote">Copy #x of <em class="replaceable"><code>filename</code></em></span>”</span>. - </p></dd><dt><span class="term">recycle:touch</span></dt><dd><p> -<a class="indexterm" name="id415935"></a> - Specifies whether a file's access date should be touched when the file is moved to the recycle bin. - </p></dd><dt><span class="term">recycle:touch_mtime</span></dt><dd><p> -<a class="indexterm" name="id415954"></a> - Specifies whether a file's last modify date date should be touched when the file is moved to the recycle bin. - </p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p> -<a class="indexterm" name="id415973"></a> - Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin. - </p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p> -<a class="indexterm" name="id415992"></a> - List of files that should not be put into the recycle bin when deleted, but deleted in the regular way. - </p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p> -<a class="indexterm" name="id416010"></a> - Contains a list of directories. When files from these directories are - deleted, they are not put into the - recycle bin but are deleted in the - regular way. - </p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p> -<a class="indexterm" name="id416030"></a> - Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning - should be used. Only useful when <span class="emphasis"><em>recycle:versions</em></span> is enabled. - </p></dd></dl></div><p> - </p></div><div class="sect2" title="netatalk"><div class="titlepage"><div><div><h3 class="title"><a name="id416047"></a>netatalk</h3></div></div></div><p> -<a class="indexterm" name="id416055"></a> - A netatalk module will ease co-existence of Samba and netatalk file sharing services. - </p><p>Advantages compared to the old netatalk module: - </p><div class="itemizedlist"><a class="indexterm" name="id416068"></a><ul class="itemizedlist" type="disc"><li class="listitem"><p>Does not care about creating .AppleDouble forks, just keeps them in sync.</p></li><li class="listitem"><p>If a share in <code class="filename">smb.conf</code> does not contain .AppleDouble item in hide or veto list, it will be added automatically.</p></li></ul></div><p> - </p></div><div class="sect2" title="shadow_copy"><div class="titlepage"><div><div><h3 class="title"><a name="id416094"></a>shadow_copy</h3></div></div></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -<a class="indexterm" name="id416103"></a> - <span class="emphasis"><em>THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL SOLUTION!</em></span> - </p><p> -<a class="indexterm" name="id416117"></a> - With Samba or Windows servers, shadow_copy is designed to be an end-user tool only. It does not replace or - enhance your backup and archival solutions and should in no way be considered as such. Additionally, if you - need version control, implement a version control system. You have been warned. - </p></div><p> - The shadow_copy module allows you to setup functionality that is similar to MS shadow copy services. When - setup properly, this module allows Microsoft shadow copy clients to browse "shadow copies" on Samba shares. - You will need to install the shadow copy client. You can get the MS shadow copy client <a class="ulink" href="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx" target="_top">here.</a>. Note the - additional requirements for pre-Windows XP clients. I did not test this functionality with any pre-Windows XP - clients. You should be able to get more information about MS Shadow Copy <a class="ulink" href="http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx" target="_top">from the Microsoft's site</a>. - </p><p> -<a class="indexterm" name="id416154"></a> -<a class="indexterm" name="id416161"></a> -<a class="indexterm" name="id416168"></a> -<a class="indexterm" name="id416174"></a> -<a class="indexterm" name="id416181"></a> -<a class="indexterm" name="id416188"></a> - The shadow_copy VFS module requires some underlying file system setup with some sort of Logical Volume Manager - (LVM) such as LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of this document; however, we will - outline the steps we took to test this functionality for <span class="emphasis"><em>example purposes only.</em></span> You need - to make sure the LVM implementation you choose to deploy is ready for production. Make sure you do plenty of - tests. - </p><p> - Here are some common resources for LVM and EVMS: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="ulink" href="http://www.sistina.com/products_lvm_download.htm" target="_top">Sistina's - LVM1 and LVM2</a></p></li><li class="listitem"><p><a class="ulink" href="http://evms.sourceforge.net/" target="_top">Enterprise Volume Management System (EVMS)</a></p></li><li class="listitem"><p><a class="ulink" href="http://tldp.org/HOWTO/LVM-HOWTO/" target="_top">The LVM HOWTO</a></p></li><li class="listitem"><p> - See <a class="ulink" href="http://www-106.ibm.com/developerworks/linux/library/l-lvm/" target="_top">Learning - Linux LVM, Part 1</a> and <a class="ulink" href="http://www-106.ibm.com/developerworks/library/l-lvm2.html" target="_top">Learning - Linux LWM, Part 2</a> for Daniel Robbins' well-written, two part tutorial on Linux and LVM using LVM - source code and reiserfs.</p></li></ul></div><div class="sect3" title="Shadow Copy Setup"><div class="titlepage"><div><div><h4 class="title"><a name="id416266"></a>Shadow Copy Setup</h4></div></div></div><p> -<a class="indexterm" name="id416274"></a> -<a class="indexterm" name="id416281"></a> - At the time of this writing, not much testing has been done. I tested the shadow copy VFS module with a - specific scenario which was not deployed in a production environment, but more as a proof of concept. The - scenario involved a Samba-3 file server on Debian Sarge with an XFS file system and LVM1. I do NOT recommend - you use this as a solution without doing your own due diligence with regard to all the components presented - here. That said, following is an basic outline of how I got things going. - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p title="Installed Operating System"><b>Installed Operating System . </b> - In my tests, I used <a class="ulink" href="http://www.debian.org/devel/debian-installer/" target="_top">Debian - Sarge</a> (i.e., testing) on an XFS file system. Setting up the OS is a bit beyond the scope of this - document. It is assumed that you have a working OS capable of running Samba. - </p></li><li class="listitem"><p title="Install & Configure Samba"><b>Install & Configure Samba. </b> - See the <a class="link" href="introduction.html" title="Part I. General Installation">installation section</a> of this HOWTO for more detail on this. - It doesn't matter if it is a Domain Controller or Member File Server, but it is assumed that you have a - working Samba 3.0.3 or later server running. - </p></li><li class="listitem"><p title="Install & Configure LVM"><b>Install & Configure LVM. </b> -<a class="indexterm" name="id416350"></a> -<a class="indexterm" name="id416357"></a> - Before you can make shadow copies available to the client, you have to create the shadow copies. This is - done by taking some sort of file system snapshot. Snapshots are a typical feature of Logical Volume - Managers such as LVM, so we first need to have that setup. - </p><div class="itemizedlist"><p> - The following is provided as an example and will be most helpful for Debian users. Again, this was tested - using the "testing" or "Sarge" distribution. - </p><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id416378"></a> -<a class="indexterm" name="id416385"></a> -<a class="indexterm" name="id416392"></a> -<a class="indexterm" name="id416398"></a> -<a class="indexterm" name="id416405"></a> - Install lvm10 and devfsd packages if you have not done so already. On Debian systems, you are warned of the - interaction of devfs and lvm1 which requires the use of devfs filenames. Running <code class="literal">apt-get update - && apt-get install lvm10 devfsd xfsprogs</code> should do the trick for this example. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id416425"></a> -<a class="indexterm" name="id416432"></a> -<a class="indexterm" name="id416439"></a> -<a class="indexterm" name="id416446"></a> -<a class="indexterm" name="id416453"></a> - Now you need to create a volume. You will need to create a partition (or partitions) to add to your volume. - Use your favorite partitioning tool (e.g., Linux fdisk, cfdisk, etc.). The partition type should be set to - 0x8e for "Linux LVM." In this example, we will use /dev/hdb1. - </p><p> -<a class="indexterm" name="id416465"></a> -<a class="indexterm" name="id416472"></a> -<a class="indexterm" name="id416479"></a> - Once you have the Linux LVM partition (type 0x8e), you can run a series of commands to create the LVM volume. - You can use several disks and/or partitions, but we will use only one in this example. You may also need to - load the kernel module with something like <code class="literal">modprobe lvm-mod</code> and set your system up to load - it on reboot by adding it to (<code class="filename">/etc/modules</code>). - </p></li><li class="listitem"><p> -<a class="indexterm" name="id416505"></a> - Create the physical volume with <code class="literal">pvcreate /dev/hdb1</code> - </p></li><li class="listitem"><p> -<a class="indexterm" name="id416522"></a> -<a class="indexterm" name="id416529"></a> - Create the volume group and add /dev/hda1 to it with <code class="literal">vgcreate shadowvol /dev/hdb1</code> - </p><p> -<a class="indexterm" name="id416545"></a> - You can use <code class="literal">vgdisplay</code> to review information about the volume group. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id416563"></a> - Now you can create the logical volume with something like <code class="literal">lvcreate -L400M -nsh_test shadowvol</code> - </p><p> -<a class="indexterm" name="id416579"></a> - This creates the logical volume of 400 MBs named "sh_test" in the volume group we created called shadowvol. - If everything is working so far, you should see them in <code class="filename">/dev/shadowvol</code>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id416598"></a> - Now we should be ready to format the logical volume we named sh_test with <code class="literal">mkfs.xfs - /dev/shadowvol/sh_test</code> - </p><p> -<a class="indexterm" name="id416615"></a> -<a class="indexterm" name="id416621"></a> -<a class="indexterm" name="id416628"></a> -<a class="indexterm" name="id416635"></a> -<a class="indexterm" name="id416642"></a> - You can format the logical volume with any file system you choose, but make sure to use one that allows you to - take advantage of the additional features of LVM such as freezing, resizing, and growing your file systems. - </p><p> -<a class="indexterm" name="id416654"></a> -<a class="indexterm" name="id416660"></a> -<a class="indexterm" name="id416667"></a> - Now we have an LVM volume where we can play with the shadow_copy VFS module. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id416679"></a> -<a class="indexterm" name="id416686"></a> -<a class="indexterm" name="id416693"></a> - Now we need to prepare the directory with something like -</p><pre class="screen"> -<code class="prompt">root# </code> mkdir -p /data/shadow_share -</pre><p> - or whatever you want to name your shadow copy-enabled Samba share. Make sure you set the permissions so that - you can use it. If in doubt, use <code class="literal">chmod 777 /data/shadow_share</code> and tighten the permissions - once you get things working. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id416724"></a> - Mount the LVM volume using something like <code class="literal">mount /dev/shadowvol/sh_test /data/shadow_share</code> - </p><p> -<a class="indexterm" name="id416740"></a> - You may also want to edit your <code class="filename">/etc/fstab</code> so that this partition mounts during the system boot. - </p></li></ul></div></li><li class="listitem"><p title="Install & Configure the shadow_copy VFS Module"><b>Install & Configure the shadow_copy VFS Module. </b> - Finally we get to the actual shadow_copy VFS module. The shadow_copy VFS module should be available in Samba - 3.0.3 and higher. The smb.conf configuration is pretty standard. Here is our example of a share configured - with the shadow_copy VFS module: - </p><div class="example"><a name="vfsshadow"></a><p class="title"><b>Example 23.3. Share With shadow_copy VFS</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[shadow_share]</code></em></td></tr><tr><td><a class="indexterm" name="id416794"></a><em class="parameter"><code>comment = Shadow Copy Enabled Share</code></em></td></tr><tr><td><a class="indexterm" name="id416805"></a><em class="parameter"><code>path = /data/shadow_share</code></em></td></tr><tr><td><a class="indexterm" name="id416817"></a><em class="parameter"><code>vfs objects = shadow_copy</code></em></td></tr><tr><td><a class="indexterm" name="id416828"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id416840"></a><em class="parameter"><code>browseable = yes</code></em></td></tr></table></div></div><br class="example-break"></li><li class="listitem"><p title="Create Snapshots and Make Them Available to shadow_copy.so"><b>Create Snapshots and Make Them Available to shadow_copy.so. </b> -<a class="indexterm" name="id416863"></a> -<a class="indexterm" name="id416870"></a> -<a class="indexterm" name="id416876"></a> - Before you can browse the shadow copies, you must create them and mount them. This will most likely be done - with a script that runs as a cron job. With this particular solution, the shadow_copy VFS module is used to - browse LVM snapshots. Those snapshots are not created by the module. They are not made available by the - module either. This module allows the shadow copy-enabled client to browse the snapshots you take and make - available. - </p><p> - Here is a simple script used to create and mount the snapshots: -</p><pre class="screen"> -#!/bin/bash -# This is a test, this is only a test -SNAPNAME=`date +%Y.%m.%d-%H.%M.%S` -xfs_freeze -f /data/shadow_share/ -lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test -xfs_freeze -u /data/shadow_share/ -mkdir /data/shadow_share/@GMT-$SNAPNAME -mount /dev/shadowvol/$SNAPNAME \ - /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro -</pre><p> - Note that the script does not handle other things like remounting snapshots on reboot. - </p></li><li class="listitem"><p title="Test From Client"><b>Test From Client. </b> - To test, you will need to install the shadow copy client which you can obtain from the <a class="ulink" href="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx" target="_top">Microsoft web site.</a> I - only tested this with an XP client so your results may vary with other pre-XP clients. Once installed, with - your XP client you can right-click on specific files or in the empty space of the shadow_share and view the - "properties." If anything has changed, then you will see it on the "Previous Versions" tab of the properties - window. - </p></li></ol></div></div></div></div><div class="sect1" title="VFS Modules Available Elsewhere"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id416927"></a>VFS Modules Available Elsewhere</h2></div></div></div><p> -<a class="indexterm" name="id416935"></a> -This section contains a listing of various other VFS modules that have been posted but do not currently reside -in the Samba CVS tree for one reason or another (e.g., it is easy for the maintainer to have his or her own -CVS tree). -</p><p> -No statements about the stability or functionality of any module should be implied due to its presence here. -</p><div class="sect2" title="DatabaseFS"><div class="titlepage"><div><div><h3 class="title"><a name="id416949"></a>DatabaseFS</h3></div></div></div><p> -<a class="indexterm" name="id416957"></a> -URL: <a class="ulink" href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top"> -Taylors University DatabaeFS</a> -</p><p>By <a class="ulink" href="mailto:elorimer@css.tayloru.edu" target="_top">Eric Lorimer.</a></p><p> -I have created a VFS module that implements a fairly complete read-only filesystem. It presents information -from a database as a filesystem in a modular and generic way to allow different databases to be used. -(Originally designed for organizing MP3s under directories such as <span class="quote">“<span class="quote">Artists,</span>”</span> <span class="quote">“<span class="quote">Song -Keywords,</span>”</span> and so on. I have since easily applied it to a student roster database.) The directory -structure is stored in the database itself and the module makes no assumptions about the database structure -beyond the table it requires to run. -</p><p> -Any feedback would be appreciated: comments, suggestions, patches, and so on. If nothing else, it -might prove useful for someone else who wishes to create a virtual filesystem. -</p></div><div class="sect2" title="vscan"><div class="titlepage"><div><div><h3 class="title"><a name="id417002"></a>vscan</h3></div></div></div><a class="indexterm" name="id417007"></a><p>URL: <a class="ulink" href="http://www.openantivirus.org/projects.php#samba-vscan" target="_top"> -Open Anti-Virus vscan</a> -</p><p> -<a class="indexterm" name="id417028"></a> -samba-vscan is a proof-of-concept module for Samba, which provides on-access anti-virus support for files -shared using Samba. samba-vscan supports various virus scanners and is maintained by Rainer Link. -</p></div><div class="sect2" title="vscan-clamav"><div class="titlepage"><div><div><h3 class="title"><a name="id417038"></a>vscan-clamav</h3></div></div></div><p> -Samba users have been using the RPMS from SerNet without a problem. -OpenSUSE Linux users have also used the vscan scanner for quite some time -with excellent results. It does impact overall write performance though. -</p><p> -The following share stanza is a good guide for those wanting to configure vscan-clamav: -</p><pre class="screen"> -[share] -vfs objects = vscan-clamav -vscan-clamav: config-file = /etc/samba/vscan-clamav.conf -</pre><p> -The following example of the <code class="filename">vscan-clamav.conf</code> file may help to get this -fully operational: -</p><pre class="screen"> -<span style="color: red"><title>VFS: Vscan ClamAV Control File</title></span> -# -# /etc/samba/vscan-clamav.conf -# - -[samba-vscan] -; run-time configuration for vscan-samba using -; clamd -; all options are set to default values - -; do not scan files larger than X bytes. If set to 0 (default), -; this feature is disable (i.e. all files are scanned) -max file size = 10485760 - -; log all file access (yes/no). If set to yes, every access will -; be logged. If set to no (default), only access to infected files -; will be logged -verbose file logging = no - -; if set to yes (default), a file will be scanned while opening -scan on open = yes -; if set to yes, a file will be scanned while closing (default is yes) -scan on close = yes - -; if communication to clamd fails, should access to file denied? -; (default: yes) -deny access on error = no - -; if daemon failes with a minor error (corruption, etc.), -; should access to file denied? -; (default: yes) -deny access on minor error = no - -; send a warning message via Windows Messenger service -; when virus is found? -; (default: yes) -send warning message = yes - -; what to do with an infected file -; quarantine: try to move to quantine directory -; delete: delete infected file -; nothing: do nothing (default) -infected file action = quarantine - -; where to put infected files - you really want to change this! -quarantine directory = /opt/clamav/quarantine -; prefix for files in quarantine -quarantine prefix = vir- - -; as Windows tries to open a file multiple time in a (very) short time -; of period, samba-vscan use a last recently used file mechanism to avoid -; multiple scans of a file. This setting specified the maximum number of -; elements of the last recently used file list. (default: 100) -max lru files entries = 100 - -; an entry is invalidad after lru file entry lifetime (in seconds). -; (Default: 5) -lru file entry lifetime = 5 - -; exclude files from being scanned based on the MIME-type! Semi-colon -; separated list (default: empty list). Use this with care! -exclude file types = - -; socket name of clamd (default: /var/run/clamd). Setting will be ignored if -; libclamav is used -clamd socket name = /tmp/clamd - -; limits, if vscan-clamav was build for using the clamav library (libclamav) -; instead of clamd - -; maximum number of files in archive (default: 1000) -libclamav max files in archive = 1000 - -; maximum archived file size, in bytes (default: 10 MB) -libclamav max archived file size = 5242880 - -; maximum recursion level (default: 5) -libclamav max recursion level = 5 -</pre><p> -Obviously, a running clam daemon is necessary for this to work. This is a working example for me using ClamAV. -The ClamAV documentation should provide additional configuration examples. On your system these may be located -under the <code class="filename">/usr/share/doc/</code> directory. Some examples may also target other virus scanners, -any of which can be used. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. CUPS Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Winbind: Use of Domain Accounts</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/apa.html b/docs/htmldocs/Samba3-HOWTO/apa.html deleted file mode 100644 index 2e96646e24..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/apa.html +++ /dev/null @@ -1,719 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Appendix A. GNU General Public License version 3</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="DNSDHCP.html" title="Chapter 48. DNS and DHCP Configuration Guide"><link rel="next" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Appendix A. - <acronym class="acronym">GNU</acronym> General Public License version 3 - </th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr></table><hr></div><div class="appendix" title="Appendix A. GNU General Public License version 3"><div class="titlepage"><div><div><h2 class="title"><a name="id454643"></a>Appendix A. - <acronym class="acronym">GNU</acronym> General Public License version 3 - </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="bridgehead"><a href="apa.html#id454669">A. - Preamble - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454778">A. - TERMS AND CONDITIONS - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454782">A. - 0. Definitions. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454846">A. - 1. Source Code. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454908">A. - 2. Basic Permissions. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454936">A. - 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454958">A. - 4. Conveying Verbatim Copies. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454977">A. - 5. Conveying Modified Source Versions. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455049">A. - 6. Conveying Non-Source Forms. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455181">A. - 7. Additional Terms. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455286">A. - 8. Termination. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455318">A. - 9. Acceptance Not Required for Having Copies. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455337">A. - 10. Automatic Licensing of Downstream Recipients. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455370">A. - 11. Patents. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455459">A. - 12. No Surrender of Others’ Freedom. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455475">A. - 13. Use with the ???TITLE??? Affero General Public License. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455498">A. - 14. Revised Versions of this License. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455545">A. - 15. Disclaimer of Warranty. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455563">A. - 16. Limitation of Liability. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455577">A. - 17. Interpretation of Sections 15 and 16. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455590">A. - END OF TERMS AND CONDITIONS - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455594">A. - How to Apply These Terms to Your New Programs - </a></span></dt></dl></div><p> - Version 3, 29 June 2007 - </p><p> - Copyright © 2007 Free Software Foundation, Inc. - <a class="ulink" href="http://fsf.org/" target="_top">http://fsf.org/</a> - </p><p> - Everyone is permitted to copy and distribute verbatim copies of this license - document, but changing it is not allowed. - </p><h2><a name="id454669"></a> - Preamble - </h2><p> - The <acronym class="acronym">GNU</acronym> General Public License is a free, copyleft - license for software and other kinds of works. - </p><p> - The licenses for most software and other practical works are designed to - take away your freedom to share and change the works. By contrast, the - <acronym class="acronym">GNU</acronym> General Public License is intended to guarantee your - freedom to share and change all versions of a program—to make sure it - remains free software for all its users. We, the Free Software Foundation, - use the <acronym class="acronym">GNU</acronym> General Public License for most of our - software; it applies also to any other work released this way by its - authors. You can apply it to your programs, too. - </p><p> - When we speak of free software, we are referring to freedom, not price. Our - General Public Licenses are designed to make sure that you have the freedom - to distribute copies of free software (and charge for them if you wish), - that you receive source code or can get it if you want it, that you can - change the software or use pieces of it in new free programs, and that you - know you can do these things. - </p><p> - To protect your rights, we need to prevent others from denying you these - rights or asking you to surrender the rights. Therefore, you have certain - responsibilities if you distribute copies of the software, or if you modify - it: responsibilities to respect the freedom of others. - </p><p> - For example, if you distribute copies of such a program, whether gratis or - for a fee, you must pass on to the recipients the same freedoms that you - received. You must make sure that they, too, receive or can get the source - code. And you must show them these terms so they know their rights. - </p><p> - Developers that use the <acronym class="acronym">GNU</acronym> <acronym class="acronym">GPL</acronym> - protect your rights with two steps: (1) assert copyright on the software, - and (2) offer you this License giving you legal permission to copy, - distribute and/or modify it. - </p><p> - For the developers’ and authors’ protection, the - <acronym class="acronym">GPL</acronym> clearly explains that there is no warranty for this - free software. For both users’ and authors’ sake, the - <acronym class="acronym">GPL</acronym> requires that modified versions be marked as changed, - so that their problems will not be attributed erroneously to authors of - previous versions. - </p><p> - Some devices are designed to deny users access to install or run modified - versions of the software inside them, although the manufacturer can do so. - This is fundamentally incompatible with the aim of protecting users’ - freedom to change the software. The systematic pattern of such abuse occurs - in the area of products for individuals to use, which is precisely where it - is most unacceptable. Therefore, we have designed this version of the - <acronym class="acronym">GPL</acronym> to prohibit the practice for those products. If such - problems arise substantially in other domains, we stand ready to extend this - provision to those domains in future versions of the <acronym class="acronym">GPL</acronym>, - as needed to protect the freedom of users. - </p><p> - Finally, every program is threatened constantly by software patents. States - should not allow patents to restrict development and use of software on - general-purpose computers, but in those that do, we wish to avoid the - special danger that patents applied to a free program could make it - effectively proprietary. To prevent this, the <acronym class="acronym">GPL</acronym> - assures that patents cannot be used to render the program non-free. - </p><p> - The precise terms and conditions for copying, distribution and modification - follow. - </p><h2><a name="id454778"></a> - TERMS AND CONDITIONS - </h2><h2><a name="id454782"></a> - 0. Definitions. - </h2><p> - “This License” refers to version 3 of the <acronym class="acronym">GNU</acronym> - General Public License. - </p><p> - “Copyright” also means copyright-like laws that apply to other - kinds of works, such as semiconductor masks. - </p><p> - “The Program” refers to any copyrightable work licensed under - this License. Each licensee is addressed as “you”. - “Licensees” and “recipients” may be individuals or - organizations. - </p><p> - To “modify” a work means to copy from or adapt all or part of - the work in a fashion requiring copyright permission, other than the making - of an exact copy. The resulting work is called a “modified - version” of the earlier work or a work “based on” the - earlier work. - </p><p> - A “covered work” means either the unmodified Program or a work - based on the Program. - </p><p> - To “propagate” a work means to do anything with it that, without - permission, would make you directly or secondarily liable for infringement - under applicable copyright law, except executing it on a computer or - modifying a private copy. Propagation includes copying, distribution (with - or without modification), making available to the public, and in some - countries other activities as well. - </p><p> - To “convey” a work means any kind of propagation that enables - other parties to make or receive copies. Mere interaction with a user - through a computer network, with no transfer of a copy, is not conveying. - </p><p> - An interactive user interface displays “Appropriate Legal - Notices” to the extent that it includes a convenient and prominently - visible feature that (1) displays an appropriate copyright notice, and (2) - tells the user that there is no warranty for the work (except to the extent - that warranties are provided), that licensees may convey the work under this - License, and how to view a copy of this License. If the interface presents - a list of user commands or options, such as a menu, a prominent item in the - list meets this criterion. - </p><h2><a name="id454846"></a> - 1. Source Code. - </h2><p> - The “source code” for a work means the preferred form of the - work for making modifications to it. “Object code” means any - non-source form of a work. - </p><p> - A “Standard Interface” means an interface that either is an - official standard defined by a recognized standards body, or, in the case of - interfaces specified for a particular programming language, one that is - widely used among developers working in that language. - </p><p> - The “System Libraries” of an executable work include anything, - other than the work as a whole, that (a) is included in the normal form of - packaging a Major Component, but which is not part of that Major Component, - and (b) serves only to enable use of the work with that Major Component, or - to implement a Standard Interface for which an implementation is available - to the public in source code form. A “Major Component”, in this - context, means a major essential component (kernel, window system, and so - on) of the specific operating system (if any) on which the executable work - runs, or a compiler used to produce the work, or an object code interpreter - used to run it. - </p><p> - The “Corresponding Source” for a work in object code form means - all the source code needed to generate, install, and (for an executable - work) run the object code and to modify the work, including scripts to - control those activities. However, it does not include the work’s - System Libraries, or general-purpose tools or generally available free - programs which are used unmodified in performing those activities but which - are not part of the work. For example, Corresponding Source includes - interface definition files associated with source files for the work, and - the source code for shared libraries and dynamically linked subprograms that - the work is specifically designed to require, such as by intimate data - communication or control flow between those subprograms and other parts of - the work. - </p><p> - The Corresponding Source need not include anything that users can regenerate - automatically from other parts of the Corresponding Source. - </p><p> - The Corresponding Source for a work in source code form is that same work. - </p><h2><a name="id454908"></a> - 2. Basic Permissions. - </h2><p> - All rights granted under this License are granted for the term of copyright - on the Program, and are irrevocable provided the stated conditions are met. - This License explicitly affirms your unlimited permission to run the - unmodified Program. The output from running a covered work is covered by - this License only if the output, given its content, constitutes a covered - work. This License acknowledges your rights of fair use or other - equivalent, as provided by copyright law. - </p><p> - You may make, run and propagate covered works that you do not convey, - without conditions so long as your license otherwise remains in force. You - may convey covered works to others for the sole purpose of having them make - modifications exclusively for you, or provide you with facilities for - running those works, provided that you comply with the terms of this License - in conveying all material for which you do not control copyright. Those - thus making or running the covered works for you must do so exclusively on - your behalf, under your direction and control, on terms that prohibit them - from making any copies of your copyrighted material outside their - relationship with you. - </p><p> - Conveying under any other circumstances is permitted solely under the - conditions stated below. Sublicensing is not allowed; section 10 makes it - unnecessary. - </p><h2><a name="id454936"></a> - 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. - </h2><p> - No covered work shall be deemed part of an effective technological measure - under any applicable law fulfilling obligations under article 11 of the WIPO - copyright treaty adopted on 20 December 1996, or similar laws prohibiting or - restricting circumvention of such measures. - </p><p> - When you convey a covered work, you waive any legal power to forbid - circumvention of technological measures to the extent such circumvention is - effected by exercising rights under this License with respect to the covered - work, and you disclaim any intention to limit operation or modification of - the work as a means of enforcing, against the work’s users, your or - third parties’ legal rights to forbid circumvention of technological - measures. - </p><h2><a name="id454958"></a> - 4. Conveying Verbatim Copies. - </h2><p> - You may convey verbatim copies of the Program’s source code as you - receive it, in any medium, provided that you conspicuously and appropriately - publish on each copy an appropriate copyright notice; keep intact all - notices stating that this License and any non-permissive terms added in - accord with section 7 apply to the code; keep intact all notices of the - absence of any warranty; and give all recipients a copy of this License - along with the Program. - </p><p> - You may charge any price or no price for each copy that you convey, and you - may offer support or warranty protection for a fee. - </p><h2><a name="id454977"></a> - 5. Conveying Modified Source Versions. - </h2><p> - You may convey a work based on the Program, or the modifications to produce - it from the Program, in the form of source code under the terms of section - 4, provided that you also meet all of these conditions: - </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><p> - The work must carry prominent notices stating that you modified it, and - giving a relevant date. - </p></li><li class="listitem"><p> - The work must carry prominent notices stating that it is released under - this License and any conditions added under section 7. This requirement - modifies the requirement in section 4 to “keep intact all - notices”. - </p></li><li class="listitem"><p> - You must license the entire work, as a whole, under this License to - anyone who comes into possession of a copy. This License will therefore - apply, along with any applicable section 7 additional terms, to the - whole of the work, and all its parts, regardless of how they are - packaged. This License gives no permission to license the work in any - other way, but it does not invalidate such permission if you have - separately received it. - </p></li><li class="listitem"><p> - If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your work need - not make them do so. - </p></li></ol></div><p> - A compilation of a covered work with other separate and independent works, - which are not by their nature extensions of the covered work, and which are - not combined with it such as to form a larger program, in or on a volume of - a storage or distribution medium, is called an “aggregate” if - the compilation and its resulting copyright are not used to limit the access - or legal rights of the compilation’s users beyond what the individual works - permit. Inclusion of a covered work in an aggregate does not cause - this License to apply to the other parts of the aggregate. - </p><h2><a name="id455049"></a> - 6. Conveying Non-Source Forms. - </h2><p> - You may convey a covered work in object code form under the terms of - sections 4 and 5, provided that you also convey the machine-readable - Corresponding Source under the terms of this License, in one of these ways: - </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><p> - Convey the object code in, or embodied in, a physical product (including - a physical distribution medium), accompanied by the Corresponding Source - fixed on a durable physical medium customarily used for software - interchange. - </p></li><li class="listitem"><p> - Convey the object code in, or embodied in, a physical product (including - a physical distribution medium), accompanied by a written offer, valid - for at least three years and valid for as long as you offer spare parts - or customer support for that product model, to give anyone who possesses - the object code either (1) a copy of the Corresponding Source for all - the software in the product that is covered by this License, on a - durable physical medium customarily used for software interchange, for a - price no more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the Corresponding Source from - a network server at no charge. - </p></li><li class="listitem"><p> - Convey individual copies of the object code with a copy of the written - offer to provide the Corresponding Source. This alternative is allowed - only occasionally and noncommercially, and only if you received the - object code with such an offer, in accord with subsection 6b. - </p></li><li class="listitem"><p> - Convey the object code by offering access from a designated place - (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to copy - the object code is a network server, the Corresponding Source may be on - a different server (operated by you or a third party) that supports - equivalent copying facilities, provided you maintain clear directions - next to the object code saying where to find the Corresponding Source. - Regardless of what server hosts the Corresponding Source, you remain - obligated to ensure that it is available for as long as needed to - satisfy these requirements. - </p></li><li class="listitem"><p> - Convey the object code using peer-to-peer transmission, provided you - inform other peers where the object code and Corresponding Source of the - work are being offered to the general public at no charge under - subsection 6d. - </p></li></ol></div><p> - A separable portion of the object code, whose source code is excluded from - the Corresponding Source as a System Library, need not be included in - conveying the object code work. - </p><p> - A “User Product” is either (1) a “consumer product”, - which means any tangible personal property which is normally used for - personal, family, or household purposes, or (2) anything designed or sold - for incorporation into a dwelling. In determining whether a product is a - consumer product, doubtful cases shall be resolved in favor of coverage. - For a particular product received by a particular user, “normally - used” refers to a typical or common use of that class of product, - regardless of the status of the particular user or of the way in which the - particular user actually uses, or expects or is expected to use, the - product. A product is a consumer product regardless of whether the product - has substantial commercial, industrial or non-consumer uses, unless such - uses represent the only significant mode of use of the product. - </p><p> - “Installation Information” for a User Product means any methods, - procedures, authorization keys, or other information required to install and - execute modified versions of a covered work in that User Product from a - modified version of its Corresponding Source. The information must suffice - to ensure that the continued functioning of the modified object code is in - no case prevented or interfered with solely because modification has been - made. - </p><p> - If you convey an object code work under this section in, or with, or - specifically for use in, a User Product, and the conveying occurs as part of - a transaction in which the right of possession and use of the User Product - is transferred to the recipient in perpetuity or for a fixed term - (regardless of how the transaction is characterized), the Corresponding - Source conveyed under this section must be accompanied by the Installation - Information. But this requirement does not apply if neither you nor any - third party retains the ability to install modified object code on the User - Product (for example, the work has been installed in - <acronym class="acronym">ROM</acronym>). - </p><p> - The requirement to provide Installation Information does not include a - requirement to continue to provide support service, warranty, or updates for - a work that has been modified or installed by the recipient, or for the User - Product in which it has been modified or installed. Access to a network may - be denied when the modification itself materially and adversely affects the - operation of the network or violates the rules and protocols for - communication across the network. - </p><p> - Corresponding Source conveyed, and Installation Information provided, in - accord with this section must be in a format that is publicly documented - (and with an implementation available to the public in source code form), - and must require no special password or key for unpacking, reading or - copying. - </p><h2><a name="id455181"></a> - 7. Additional Terms. - </h2><p> - “Additional permissions” are terms that supplement the terms of - this License by making exceptions from one or more of its conditions. - Additional permissions that are applicable to the entire Program shall be - treated as though they were included in this License, to the extent that - they are valid under applicable law. If additional permissions apply only - to part of the Program, that part may be used separately under those - permissions, but the entire Program remains governed by this License - without regard to the additional permissions. - </p><p> - When you convey a copy of a covered work, you may at your option remove any - additional permissions from that copy, or from any part of it. (Additional - permissions may be written to require their own removal in certain cases - when you modify the work.) You may place additional permissions on - material, added by you to a covered work, for which you have or can give - appropriate copyright permission. - </p><p> - Notwithstanding any other provision of this License, for material you add - to a covered work, you may (if authorized by the copyright holders of that - material) supplement the terms of this License with terms: - </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><p> - Disclaiming warranty or limiting liability differently from the terms - of sections 15 and 16 of this License; or - </p></li><li class="listitem"><p> - Requiring preservation of specified reasonable legal notices or author - attributions in that material or in the Appropriate Legal Notices - displayed by works containing it; or - </p></li><li class="listitem"><p> - Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - </p></li><li class="listitem"><p> - Limiting the use for publicity purposes of names of licensors or - authors of the material; or - </p></li><li class="listitem"><p> - Declining to grant rights under trademark law for use of some trade - names, trademarks, or service marks; or - </p></li><li class="listitem"><p> - Requiring indemnification of licensors and authors of that material by - anyone who conveys the material (or modified versions of it) with - contractual assumptions of liability to the recipient, for any - liability that these contractual assumptions directly impose on those - licensors and authors. - </p></li></ol></div><p> - All other non-permissive additional terms are considered “further - restrictions” within the meaning of section 10. If the Program as - you received it, or any part of it, contains a notice stating that it is - governed by this License along with a term that is a further restriction, - you may remove that term. If a license document contains a further - restriction but permits relicensing or conveying under this License, you - may add to a covered work material governed by the terms of that license - document, provided that the further restriction does not survive such - relicensing or conveying. - </p><p> - If you add terms to a covered work in accord with this section, you must - place, in the relevant source files, a statement of the additional terms - that apply to those files, or a notice indicating where to find the - applicable terms. - </p><p> - Additional terms, permissive or non-permissive, may be stated in the form - of a separately written license, or stated as exceptions; the above - requirements apply either way. - </p><h2><a name="id455286"></a> - 8. Termination. - </h2><p> - You may not propagate or modify a covered work except as expressly provided - under this License. Any attempt otherwise to propagate or modify it is - void, and will automatically terminate your rights under this License - (including any patent licenses granted under the third paragraph of section - 11). - </p><p> - However, if you cease all violation of this License, then your license from - a particular copyright holder is reinstated (a) provisionally, unless and - until the copyright holder explicitly and finally terminates your license, - and (b) permanently, if the copyright holder fails to notify you of the - violation by some reasonable means prior to 60 days after the cessation. - </p><p> - Moreover, your license from a particular copyright holder is reinstated - permanently if the copyright holder notifies you of the violation by some - reasonable means, this is the first time you have received notice of - violation of this License (for any work) from that copyright holder, and - you cure the violation prior to 30 days after your receipt of the notice. - </p><p> - Termination of your rights under this section does not terminate the - licenses of parties who have received copies or rights from you under this - License. If your rights have been terminated and not permanently - reinstated, you do not qualify to receive new licenses for the same - material under section 10. - </p><h2><a name="id455318"></a> - 9. Acceptance Not Required for Having Copies. - </h2><p> - You are not required to accept this License in order to receive or run a - copy of the Program. Ancillary propagation of a covered work occurring - solely as a consequence of using peer-to-peer transmission to receive a - copy likewise does not require acceptance. However, nothing other than - this License grants you permission to propagate or modify any covered work. - These actions infringe copyright if you do not accept this License. - Therefore, by modifying or propagating a covered work, you indicate your - acceptance of this License to do so. - </p><h2><a name="id455337"></a> - 10. Automatic Licensing of Downstream Recipients. - </h2><p> - Each time you convey a covered work, the recipient automatically receives a - license from the original licensors, to run, modify and propagate that - work, subject to this License. You are not responsible for enforcing - compliance by third parties with this License. - </p><p> - An “entity transaction” is a transaction transferring control - of an organization, or substantially all assets of one, or subdividing an - organization, or merging organizations. If propagation of a covered work - results from an entity transaction, each party to that transaction who - receives a copy of the work also receives whatever licenses to the work the - party’s predecessor in interest had or could give under the previous - paragraph, plus a right to possession of the Corresponding Source of the - work from the predecessor in interest, if the predecessor has it or can get - it with reasonable efforts. - </p><p> - You may not impose any further restrictions on the exercise of the rights - granted or affirmed under this License. For example, you may not impose a - license fee, royalty, or other charge for exercise of rights granted under - this License, and you may not initiate litigation (including a cross-claim - or counterclaim in a lawsuit) alleging that any patent claim is infringed - by making, using, selling, offering for sale, or importing the Program or - any portion of it. - </p><h2><a name="id455370"></a> - 11. Patents. - </h2><p> - A “contributor” is a copyright holder who authorizes use under - this License of the Program or a work on which the Program is based. The - work thus licensed is called the contributor’s “contributor - version”. - </p><p> - A contributor’s “essential patent claims” are all patent - claims owned or controlled by the contributor, whether already acquired or - hereafter acquired, that would be infringed by some manner, permitted by - this License, of making, using, or selling its contributor version, but do - not include claims that would be infringed only as a consequence of further - modification of the contributor version. For purposes of this definition, - “control” includes the right to grant patent sublicenses in a - manner consistent with the requirements of this License. - </p><p> - Each contributor grants you a non-exclusive, worldwide, royalty-free patent - license under the contributor’s essential patent claims, to make, use, - sell, offer for sale, import and otherwise run, modify and propagate the - contents of its contributor version. - </p><p> - In the following three paragraphs, a “patent license” is any - express agreement or commitment, however denominated, not to enforce a - patent (such as an express permission to practice a patent or covenant not - to sue for patent infringement). To “grant” such a patent - license to a party means to make such an agreement or commitment not to - enforce a patent against the party. - </p><p> - If you convey a covered work, knowingly relying on a patent license, and the - Corresponding Source of the work is not available for anyone to copy, free - of charge and under the terms of this License, through a publicly available - network server or other readily accessible means, then you must either (1) - cause the Corresponding Source to be so available, or (2) arrange to deprive - yourself of the benefit of the patent license for this particular work, or - (3) arrange, in a manner consistent with the requirements of this License, - to extend the patent license to downstream recipients. “Knowingly - relying” means you have actual knowledge that, but for the patent - license, your conveying the covered work in a country, or your - recipient’s use of the covered work in a country, would infringe one - or more identifiable patents in that country that you have reason to believe - are valid. - </p><p> - If, pursuant to or in connection with a single transaction or arrangement, - you convey, or propagate by procuring conveyance of, a covered work, and - grant a patent license to some of the parties receiving the covered work - authorizing them to use, propagate, modify or convey a specific copy of the - covered work, then the patent license you grant is automatically extended to - all recipients of the covered work and works based on it. - </p><p> - A patent license is “discriminatory” if it does not include - within the scope of its coverage, prohibits the exercise of, or is - conditioned on the non-exercise of one or more of the rights that are - specifically granted under this License. You may not convey a covered work - if you are a party to an arrangement with a third party that is in the - business of distributing software, under which you make payment to the third - party based on the extent of your activity of conveying the work, and under - which the third party grants, to any of the parties who would receive the - covered work from you, a discriminatory patent license (a) in connection - with copies of the covered work conveyed by you (or copies made from those - copies), or (b) primarily for and in connection with specific products or - compilations that contain the covered work, unless you entered into that - arrangement, or that patent license was granted, prior to 28 March 2007. - </p><p> - Nothing in this License shall be construed as excluding or limiting any - implied license or other defenses to infringement that may otherwise be - available to you under applicable patent law. - </p><h2><a name="id455459"></a> - 12. No Surrender of Others’ Freedom. - </h2><p> - If conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot convey a - covered work so as to satisfy simultaneously your obligations under this - License and any other pertinent obligations, then as a consequence you may - not convey it at all. For example, if you agree to terms that obligate you - to collect a royalty for further conveying from those to whom you convey the - Program, the only way you could satisfy both those terms and this License - would be to refrain entirely from conveying the Program. - </p><h2><a name="id455475"></a> - 13. Use with the <acronym class="acronym">GNU</acronym> Affero General Public License. - </h2><p> - Notwithstanding any other provision of this License, you have permission to - link or combine any covered work with a work licensed under version 3 of the - <acronym class="acronym">GNU</acronym> Affero General Public License into a single combined - work, and to convey the resulting work. The terms of this License will - continue to apply to the part which is the covered work, but the special - requirements of the <acronym class="acronym">GNU</acronym> Affero General Public License, - section 13, concerning interaction through a network will apply to the - combination as such. - </p><h2><a name="id455498"></a> - 14. Revised Versions of this License. - </h2><p> - The Free Software Foundation may publish revised and/or new versions of the - <acronym class="acronym">GNU</acronym> General Public License from time to time. Such new - versions will be similar in spirit to the present version, but may differ in - detail to address new problems or concerns. - </p><p> - Each version is given a distinguishing version number. If the Program - specifies that a certain numbered version of the <acronym class="acronym">GNU</acronym> - General Public License “or any later version” applies to it, you - have the option of following the terms and conditions either of that - numbered version or of any later version published by the Free Software - Foundation. If the Program does not specify a version number of the - <acronym class="acronym">GNU</acronym> General Public License, you may choose any version - ever published by the Free Software Foundation. - </p><p> - If the Program specifies that a proxy can decide which future versions of - the <acronym class="acronym">GNU</acronym> General Public License can be used, that - proxy’s public statement of acceptance of a version permanently - authorizes you to choose that version for the Program. - </p><p> - Later license versions may give you additional or different permissions. - However, no additional obligations are imposed on any author or copyright - holder as a result of your choosing to follow a later version. - </p><h2><a name="id455545"></a> - 15. Disclaimer of Warranty. - </h2><p> - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE - LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR - OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF - ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH - YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL - NECESSARY SERVICING, REPAIR OR CORRECTION. - </p><h2><a name="id455563"></a> - 16. Limitation of Liability. - </h2><p> - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL - ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE - PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY - GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE - OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA - OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD - PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), - EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. - </p><h2><a name="id455577"></a> - 17. Interpretation of Sections 15 and 16. - </h2><p> - If the disclaimer of warranty and limitation of liability provided above - cannot be given local legal effect according to their terms, reviewing - courts shall apply local law that most closely approximates an absolute - waiver of all civil liability in connection with the Program, unless a - warranty or assumption of liability accompanies a copy of the Program in - return for a fee. - </p><h2><a name="id455590"></a> - END OF TERMS AND CONDITIONS - </h2><h2><a name="id455594"></a> - How to Apply These Terms to Your New Programs - </h2><p> - If you develop a new program, and you want it to be of the greatest possible - use to the public, the best way to achieve this is to make it free software - which everyone can redistribute and change under these terms. - </p><p> - To do so, attach the following notices to the program. It is safest to - attach them to the start of each source file to most effectively state the - exclusion of warranty; and each file should have at least the - “copyright” line and a pointer to where the full notice is - found. - </p><pre class="screen"> -<em class="replaceable"><code>one line to give the program’s name and a brief idea of what it does.</code></em> -Copyright (C) <em class="replaceable"><code>year</code></em> <em class="replaceable"><code>name of author</code></em> - -This program is free software: you can redistribute it and/or modify -it under the terms of the <acronym class="acronym">GNU</acronym> General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -<acronym class="acronym">GNU</acronym> General Public License for more details. - -You should have received a copy of the <acronym class="acronym">GNU</acronym> General Public License -along with this program. If not, see <a class="ulink" href="http://www.gnu.org/licenses/" target="_top">http://www.gnu.org/licenses/</a>. - </pre><p> - Also add information on how to contact you by electronic and paper mail. - </p><p> - If the program does terminal interaction, make it output a short notice like - this when it starts in an interactive mode: - </p><pre class="screen"> -<em class="replaceable"><code>program</code></em> Copyright (C) <em class="replaceable"><code>year</code></em> <em class="replaceable"><code>name of author</code></em> -This program comes with ABSOLUTELY NO WARRANTY; for details type ‘<code class="literal">show w</code>’. -This is free software, and you are welcome to redistribute it -under certain conditions; type ‘<code class="literal">show c</code>’ for details. - </pre><p> - The hypothetical commands ‘<code class="literal">show w</code>’ and - ‘<code class="literal">show c</code>’ should show the appropriate parts of - the General Public License. Of course, your program’s commands might be - different; for a GUI interface, you would use an “about box”. - </p><p> - You should also get your employer (if you work as a programmer) or school, - if any, to sign a “copyright disclaimer” for the program, if - necessary. For more information on this, and how to apply and follow the - <acronym class="acronym">GNU</acronym> <acronym class="acronym">GPL</acronym>, see <a class="ulink" href="http://www.gnu.org/licenses/" target="_top">http://www.gnu.org/licenses/</a>. - </p><p> - The <acronym class="acronym">GNU</acronym> General Public License does not permit - incorporating your program into proprietary programs. If your program is a - subroutine library, you may consider it more useful to permit linking - proprietary applications with the library. If this is what you want to do, - use the <acronym class="acronym">GNU</acronym> Lesser General Public License instead of this - License. But first, please read <a class="ulink" href="http://www.gnu.org/philosophy/why-not-lgpl.html" target="_top">http://www.gnu.org/philosophy/why-not-lgpl.html</a>. - </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="go01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 48. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Glossary</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/bugreport.html b/docs/htmldocs/Samba3-HOWTO/bugreport.html deleted file mode 100644 index 5391874a40..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/bugreport.html +++ /dev/null @@ -1,159 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. Reporting Bugs</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="prev" href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems"><link rel="next" href="tdb.html" title="Chapter 41. Managing TDB Files"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. Reporting Bugs</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="tdb.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 40. Reporting Bugs"><div class="titlepage"><div><div><h2 class="title"><a name="bugreport"></a>Chapter 40. Reporting Bugs</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> 27 June 1997 </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="bugreport.html#id447883">Introduction</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id447963">General Information</a></span></dt><dt><span class="sect1"><a href="bugreport.html#dbglvl">Debug Levels</a></span></dt><dd><dl><dt><span class="sect2"><a href="bugreport.html#id448181">Debugging-Specific Operations</a></span></dt></dl></dd><dt><span class="sect1"><a href="bugreport.html#id448377">Internal Errors</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id448498">Attaching to a Running Process</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id448614">Patches</a></span></dt></dl></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id447883"></a>Introduction</h2></div></div></div><p> -<a class="indexterm" name="id447891"></a> -<a class="indexterm" name="id447898"></a> -Please report bugs using Samba's <a class="ulink" href="https://bugzilla.samba.org/" target="_top">Bugzilla</a> facilities and take -the time to read this file before you submit a bug report. Also, check to see if it has changed between -releases, as we may be changing the bug reporting mechanism at some point. -</p><p> -Please do as much as you can yourself to help track down the -bug. Samba is maintained by a dedicated group of people who volunteer -their time, skills, and efforts. We receive far more mail than -we can possibly answer, so you have a much higher chance of a response -and a fix if you send us a <span class="quote">“<span class="quote">developer-friendly</span>”</span> bug report that lets -us fix it fast. -</p><p> -<a class="indexterm" name="id447925"></a> -<a class="indexterm" name="id447932"></a> -<a class="indexterm" name="id447939"></a> -If you post the bug to the comp.protocols.smb -newsgroup or the mailing list, do not assume that we will read it. If you suspect that your -problem is not a bug but a configuration problem, it is better to send -it to the Samba mailing list, as there are thousands of other users on -that list who may be able to help you. -</p><p> -You may also like to look though the recent mailing list archives, -which are conveniently accessible on the Samba Web pages -at <a class="ulink" href="http://samba.org/samba/" target="_top">http://samba.org/samba/</a>. -</p></div><div class="sect1" title="General Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id447963"></a>General Information</h2></div></div></div><p> -Before submitting a bug report, check your config for silly -errors. Look in your log files for obvious messages that tell -you've misconfigured something. Run testparm to check your config -file for correct syntax. -</p><p> -Have you looked through <a class="link" href="diagnosis.html" title="Chapter 38. The Samba Checklist">The Samba Checklist</a>? This is extremely important. -</p><p> -If you include part of a log file with your bug report, then be sure to -annotate it with exactly what you were doing on the client at the -time and exactly what the results were. -</p></div><div class="sect1" title="Debug Levels"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="dbglvl"></a>Debug Levels</h2></div></div></div><p> -If the bug has anything to do with Samba behaving incorrectly as a -server (like refusing to open a file), then the log files will probably -be quite useful. Depending on the problem, a log level of between 3 and -10 showing the problem may be appropriate. A higher level gives more -detail but may use too much disk space. -</p><p> -<a class="indexterm" name="id448007"></a> -<a class="indexterm" name="id448014"></a> -To set the debug level, use the <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> in your -<code class="filename">smb.conf</code>. You may also find it useful to set the log -level higher for just one machine and keep separate logs for each machine. -To do this, add the following lines to your main <code class="filename">smb.conf</code> file: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id448052"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id448064"></a><em class="parameter"><code>log file = /usr/local/samba/lib/log.%m</code></em></td></tr><tr><td><a class="indexterm" name="id448076"></a><em class="parameter"><code>include = /usr/local/samba/lib/smb.conf.%m</code></em></td></tr></table><p> -and create a file <code class="filename">/usr/local/samba/lib/smb.conf.<em class="replaceable"><code>machine</code></em></code> where -<em class="replaceable"><code>machine</code></em> is the name of the client you wish to debug. In that file put any -<code class="filename">smb.conf</code> commands you want; for example, <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> may be useful. This also allows -you to experiment with different security systems, protocol levels, and so on, on just one machine. -</p><p> -The <code class="filename">smb.conf</code> entry <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> is synonymous with the parameter <a class="link" href="smb.conf.5.html#DEBUGLEVEL" target="_top">debuglevel</a> that has been used in older versions of Samba and is being retained for backward -compatibility of <code class="filename">smb.conf</code> files. -</p><p> -As the <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> value is increased, you will record a significantly greater level of -debugging information. For most debugging operations, you may not need a setting higher than -<code class="constant">3</code>. Nearly all bugs can be tracked at a setting of <code class="constant">10</code>, but be -prepared for a large volume of log data. -</p><div class="sect2" title="Debugging-Specific Operations"><div class="titlepage"><div><div><h3 class="title"><a name="id448181"></a>Debugging-Specific Operations</h3></div></div></div><p> -<a class="indexterm" name="id448189"></a> -<a class="indexterm" name="id448196"></a> -<a class="indexterm" name="id448202"></a> -<a class="indexterm" name="id448209"></a> - Samba-3.x permits debugging (logging) of specific functional components without unnecessarily - cluttering the log files with detailed logs for all operations. An example configuration to - achieve this is shown in: - </p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id448227"></a><em class="parameter"><code>log level = 0 tdb:3 passdb:5 auth:4 vfs:2</code></em></td></tr><tr><td><a class="indexterm" name="id448238"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id448250"></a><em class="parameter"><code>log file = /var/log/samba/%U.%m.log</code></em></td></tr></table><p> -</p><p> - This will cause the level of detail to be expanded to the debug class (log level) passed to - each functional area per the value shown above. The first value passed to the <em class="parameter"><code>log level</code></em> - of <code class="constant">0</code> means turn off all unnecessary debugging except the debug classes set for - the functional areas as specified. The table shown in <a class="link" href="bugreport.html#dbgclass" title="Table 40.1. Debuggable Functions">Debuggable Functions</a> - may be used to attain very precise analysis of each SMB operation Samba is conducting. - </p><div class="table"><a name="dbgclass"></a><p class="title"><b>Table 40.1. Debuggable Functions</b></p><div class="table-contents"><table summary="Debuggable Functions" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Function Name</th><th align="center">Function Name</th></tr></thead><tbody><tr><td align="center">all</td><td align="center">passdb</td></tr><tr><td align="center">tdb</td><td align="center">sam</td></tr><tr><td align="center">printdrivers</td><td align="center">auth</td></tr><tr><td align="center">lanman</td><td align="center">winbind</td></tr><tr><td align="center">smb</td><td align="center">vfs</td></tr><tr><td align="center">rpc_parse</td><td align="center">idmap</td></tr><tr><td align="center">rpc_srv</td><td align="center">quota</td></tr><tr><td align="center">rpc_cli</td><td align="center">acls</td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" title="Internal Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id448377"></a>Internal Errors</h2></div></div></div><p> -If you get the message <span class="quote">“<span class="quote"><span class="errorname">INTERNAL ERROR</span></span>”</span> in your log files, -it means that Samba got an unexpected signal while running. It is probably a -segmentation fault and almost certainly means a bug in Samba (unless -you have faulty hardware or system software). -</p><p> -If the message came from smbd, it will probably be accompanied by -a message that details the last SMB message received by smbd. This -information is often useful in tracking down the problem, so please -include it in your bug report. -</p><p> -You should also detail how to reproduce the problem, if -possible. Please make this reasonably detailed. -</p><p> -<a class="indexterm" name="id448404"></a> -You may also find that a core file appeared in a <code class="filename">corefiles</code> -subdirectory of the directory where you keep your Samba log -files. This file is the most useful tool for tracking down the bug. To -use it, you do this: -<a class="indexterm" name="id448419"></a> -<a class="indexterm" name="id448425"></a> -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>gdb smbd core</code></strong> -</pre><p> -</p><p> -<a class="indexterm" name="id448451"></a> -<a class="indexterm" name="id448458"></a> -adding appropriate paths to smbd and core so gdb can find them. If you -do not have gdb, try <strong class="userinput"><code>dbx</code></strong>. Then within the debugger, -use the command <code class="literal">where</code> to give a stack trace of where the -problem occurred. Include this in your report. -</p><p> -<a class="indexterm" name="id448480"></a> -If you know any assembly language, do a <code class="literal">disass</code> of the routine -where the problem occurred (if it's in a library routine, then -disassemble the routine that called it) and try to work out exactly -where the problem is by looking at the surrounding code. Even if you -do not know assembly, including this information in the bug report can be -useful. -</p></div><div class="sect1" title="Attaching to a Running Process"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id448498"></a>Attaching to a Running Process</h2></div></div></div><p> -<a class="indexterm" name="id448506"></a> -<a class="indexterm" name="id448513"></a> -<a class="indexterm" name="id448519"></a> -Unfortunately, some UNIXes (in particular some recent Linux kernels) -refuse to dump a core file if the task has changed UID (which smbd -does often). To debug with this sort of system, you could try to attach -to the running process using -<strong class="userinput"><code>gdb smbd <em class="replaceable"><code>PID</code></em></code></strong>, where you get -<em class="replaceable"><code>PID</code></em> from <span class="application">smbstatus</span>. -Then use <code class="literal">c</code> to continue and try to cause the core dump -using the client. The debugger should catch the fault and tell you -where it occurred. -</p><p> -Sometimes it is necessary to build Samba binary files that have debugging -symbols so as to make it possible to capture enough information from a crashed -operation to permit the Samba Team to fix the problem. -</p><p> -Compile with <code class="constant">-g</code> to ensure you have symbols in place. -Add the following line to the <code class="filename">smb.conf</code> file global section: -</p><pre class="screen"> -panic action = "/bin/sleep 90000" -</pre><p> -to catch any panics. If <code class="literal">smbd</code> seems to be frozen, look for any sleep -processes. If it is not, and appears to be spinning, find the PID -of the spinning process and type: -</p><pre class="screen"> -<code class="prompt">root# </code> gdb /usr/local/samba/sbin/smbd -</pre><p> -<a class="indexterm" name="id448597"></a> -then <span class="quote">“<span class="quote">attach `pid'</span>”</span> (of the spinning process), then type <span class="quote">“<span class="quote">bt</span>”</span> to -get a backtrace to see where the smbd is in the call path. -</p></div><div class="sect1" title="Patches"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id448614"></a>Patches</h2></div></div></div><p> -<a class="indexterm" name="id448621"></a> -<a class="indexterm" name="id448628"></a> -The best sort of bug report is one that includes a fix! If you send us -patches, please use <strong class="userinput"><code>diff -u</code></strong> format if your version of -diff supports it; otherwise, use <strong class="userinput"><code>diff -c4</code></strong>. Make sure -you do the diff against a clean version of the source and let me know -exactly what version you used. -</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="tdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Analyzing and Solving Samba Problems </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Managing TDB Files</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html b/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html deleted file mode 100644 index 3dfa68c805..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html +++ /dev/null @@ -1,180 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 34. Advanced Configuration Techniques</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="largefile.html" title="Chapter 33. Handling Large Directories"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 34. Advanced Configuration Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="largefile.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 34. Advanced Configuration Techniques"><div class="titlepage"><div><div><h2 class="title"><a name="cfgsmarts"></a>Chapter 34. Advanced Configuration Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 30, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="cfgsmarts.html#id436235">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="cfgsmarts.html#id436244">Multiple Server Hosting</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id436097"></a> -<a class="indexterm" name="id436104"></a> -Since the release of the first edition of this book there have been repeated requests to better document -configuration techniques that may help a network administrator to get more out of Samba. Some users have asked -for documentation regarding the use of the <a class="link" href="smb.conf.5.html#INCLUDE" target="_top">include = file-name</a> parameter. -</p><p> -<a class="indexterm" name="id436129"></a> -<a class="indexterm" name="id436135"></a> -Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on -one machine. There has also been an interest in the hosting of multiple Samba server personalities on one -server. -</p><p> -<a class="indexterm" name="id436148"></a> -<a class="indexterm" name="id436154"></a> -Feedback from technical reviewers made the inclusion of this chapter a necessity. So, here is an -answer the questions that have to date not been adequately addressed. Additional user input is welcome as -it will help this chapter to mature. What is presented here is just a small beginning. -</p><p> -<a class="indexterm" name="id436167"></a> -<a class="indexterm" name="id436174"></a> -<a class="indexterm" name="id436180"></a> -There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server -hosting makes it possible to host multiple domain controllers on one machine. Each such machine is -independent, and each can be stopped or started without affecting another. -</p><p> -<a class="indexterm" name="id436193"></a> -<a class="indexterm" name="id436199"></a> -<a class="indexterm" name="id436206"></a> -Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single -UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case, -only domain member machines and domain users can access the DMS, but even guest users can access the generic -print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server -is to host a CDROM server. -</p><p> -<a class="indexterm" name="id436220"></a> -<a class="indexterm" name="id436226"></a> -Some environments dictate the need to have separate servers, each with their own resources, each of which are -accessible only by certain users or groups. This is one of the simple, but highly effective, ways that Samba -can replace many physical Windows servers in one Samba installation. -</p><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id436235"></a>Implementation</h2></div></div></div><p> -</p><div class="sect2" title="Multiple Server Hosting"><div class="titlepage"><div><div><h3 class="title"><a name="id436244"></a>Multiple Server Hosting</h3></div></div></div><p> -<a class="indexterm" name="id436252"></a> -<a class="indexterm" name="id436259"></a> -<a class="indexterm" name="id436266"></a> -<a class="indexterm" name="id436272"></a> -<a class="indexterm" name="id436279"></a> -<a class="indexterm" name="id436286"></a> -<a class="indexterm" name="id436293"></a> -The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own -configuration file. This method is complicated by the fact that each instance of <span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> -must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by -<span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> can be enabled either by recompiling Samba for each server hosted so each has its -own default TDB directories, or by configuring these in the <code class="filename">smb.conf</code> file, in which case each instance of -<span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> must be told to start up with its own <code class="filename">smb.conf</code> configuration file. -</p><p> -<a class="indexterm" name="id436372"></a> -<a class="indexterm" name="id436378"></a> -<a class="indexterm" name="id436385"></a> -<a class="indexterm" name="id436392"></a> -Each instance should operate on its own IP address (that independent IP address can be an IP Alias). -Each instance of <span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span> should listen only on its own IP socket. This can be secured -using the <a class="link" href="smb.conf.5.html#SOCKETADDRESS" target="_top">socket address</a> parameter. Each instance of the Samba server will have its -own SID also, this means that the servers are discrete and independent of each other. -</p><p> -<a class="indexterm" name="id436435"></a> -<a class="indexterm" name="id436441"></a> -<a class="indexterm" name="id436448"></a> -<a class="indexterm" name="id436455"></a> -<a class="indexterm" name="id436462"></a> -<a class="indexterm" name="id436468"></a> -<a class="indexterm" name="id436475"></a> -<a class="indexterm" name="id436482"></a> -<a class="indexterm" name="id436489"></a> -The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of -process management and start up. The <code class="filename">smb.conf</code> parameters that must be carefully configured includes: -<a class="link" href="smb.conf.5.html#PRIVATEDIR" target="_top">private dir</a>, <a class="link" href="smb.conf.5.html#PIDDIRECTORY" target="_top">pid directory</a>,<a class="link" href="smb.conf.5.html#LOCKDIRECTORY" target="_top">lock directory</a>, <a class="link" href="smb.conf.5.html#INTERFACES" target="_top">interfaces</a>, <a class="link" href="smb.conf.5.html#BINDINTERFACESONLY" target="_top">bind interfaces only</a>, <a class="link" href="smb.conf.5.html#NETBIOSNAME" target="_top">netbios name</a>, <a class="link" href="smb.conf.5.html#WORKGROUP" target="_top">workgroup</a>, <a class="link" href="smb.conf.5.html#SOCKETADDRESS" target="_top">socket address</a>. -</p><p> -<a class="indexterm" name="id436593"></a> -<a class="indexterm" name="id436600"></a> -<a class="indexterm" name="id436606"></a> -Those who elect to create multiple Samba servers should have the ability to read and follow -the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of -this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and -if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting -of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team. -</p></div><div class="sect2" title="Multiple Virtual Server Personalities"><div class="titlepage"><div><div><h3 class="title"><a name="id436620"></a>Multiple Virtual Server Personalities</h3></div></div></div><p> -<a class="indexterm" name="id436628"></a> -<a class="indexterm" name="id436635"></a> -<a class="indexterm" name="id436642"></a> -Samba has the ability to host multiple virtual servers, each of which have their own personality. This is -achieved by configuring an <code class="filename">smb.conf</code> file that is common to all personalities hosted. Each server -personality is hosted using its own <a class="link" href="smb.conf.5.html#NETBIOSALIAS" target="_top">netbios alias</a> name, and each has its own distinct -<a class="link" href="smb.conf.5.html#%5BGLOBAL%5D" target="_top">[global]</a> section. Each server may have its own stanzas for services and meta-services. -</p><p> -<a class="indexterm" name="id436683"></a> -<a class="indexterm" name="id436690"></a> -<a class="indexterm" name="id436697"></a> -When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup. -Only the primary server can be a domain member or a domain controller. The personality is defined by the -combination of the <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security</a> mode it is operating in, the <a class="link" href="smb.conf.5.html#NETBIOSALIASES" target="_top">netbios aliases</a> it has, and the <a class="link" href="smb.conf.5.html#WORKGROUP" target="_top">workgroup</a> that is defined for it. -</p><p> -<a class="indexterm" name="id436743"></a> -<a class="indexterm" name="id436750"></a> -<a class="indexterm" name="id436756"></a> -<a class="indexterm" name="id436763"></a> -<a class="indexterm" name="id436770"></a> -<a class="indexterm" name="id436777"></a> -This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services. -If run using NetBIOS mode (the most common method) it is important that the parameter <a class="link" href="smb.conf.5.html#SMBPORTS" target="_top">smb ports = 139</a> should be specified in the primary <code class="filename">smb.conf</code> file. Failure to do this will result -in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain -the functionality that is specified in the primary <code class="filename">smb.conf</code> file. The use of NetBIOS over TCP/IP using only -TCP port 139 means that the use of the <code class="literal">%L</code> macro is fully enabled. If the <a class="link" href="smb.conf.5.html#SMBPORTS" target="_top">smb ports = 139</a> is not specified (the default is <em class="parameter"><code>445 139</code></em>, or if -the value of this parameter is set at <em class="parameter"><code>139 445</code></em> then the <code class="literal">%L</code> macro -is not serviceable. -</p><p> -<a class="indexterm" name="id436849"></a> -<a class="indexterm" name="id436856"></a> -<a class="indexterm" name="id436862"></a> -<a class="indexterm" name="id436869"></a> -It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB -port), in which case the <code class="literal">%i</code> macro can be used to provide separate server identities (by -IP Address). Each can have its own <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security</a> mode. It will be necessary to use the -<a class="link" href="smb.conf.5.html#INTERFACES" target="_top">interfaces</a>, <a class="link" href="smb.conf.5.html#BINDINTERFACESONLY" target="_top">bind interfaces only</a> and IP aliases in addition to -the <a class="link" href="smb.conf.5.html#NETBIOSNAME" target="_top">netbios name</a> parameters to create the virtual servers. This method is considerably -more complex than that using NetBIOS names only using TCP port 139. -</p><p> -<a class="indexterm" name="id436930"></a> -Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only -Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it -is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here -are some parameters: -</p><p> -The Samba server is called <code class="literal">ELASTIC</code>, its workgroup name is <code class="literal">ROBINSNEST</code>. -The CDROM server is called <code class="literal">CDSERVER</code> and its workgroup is <code class="literal">ARTSDEPT</code>. A -possible implementation is shown here: -</p><p> -<a class="indexterm" name="id436971"></a> -<a class="indexterm" name="id436978"></a> -<a class="indexterm" name="id436985"></a> -<a class="indexterm" name="id436992"></a> -The <code class="filename">smb.conf</code> file for the master server is shown in <a class="link" href="cfgsmarts.html#elastic" title="Example 34.1. Elastic smb.conf File">Elastic smb.conf File</a>. -This file is placed in the <code class="filename">/etc/samba</code> directory. Only the <span class="application">nmbd</span> and the <span class="application">smbd</span> daemons -are needed. When started the server will appear in Windows Network Neighborhood as the machine -<code class="literal">ELASTIC</code> under the workgroup <code class="literal">ROBINSNEST</code>. It is helpful if the Windows -clients that must access this server are also in the workgroup <code class="literal">ROBINSNEST</code> as this will make -browsing much more reliable. -</p><div class="example"><a name="elastic"></a><p class="title"><b>Example 34.1. Elastic smb.conf File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id437079"></a><em class="parameter"><code>workgroup = ROBINSNEST</code></em></td></tr><tr><td><a class="indexterm" name="id437090"></a><em class="parameter"><code>netbios name = ELASTIC</code></em></td></tr><tr><td><a class="indexterm" name="id437102"></a><em class="parameter"><code>netbios aliases = CDSERVER</code></em></td></tr><tr><td><a class="indexterm" name="id437114"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id437125"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id437136"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437148"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id437160"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id437171"></a><em class="parameter"><code>include = /etc/samba/smb-%L.conf</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id437192"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id437203"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id437215"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id437226"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id437246"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id437258"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id437269"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id437290"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id437301"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id437313"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id437323"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437335"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437346"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437358"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id437372"></a> -The configuration file for the CDROM server is listed in <a class="link" href="cfgsmarts.html#cdserver" title="Example 34.2. CDROM Server smb-cdserver.conf file">CDROM Server -smb-cdserver.conf file</a>. This file is called <code class="filename">smb-cdserver.conf</code> and it should be -located in the <code class="filename">/etc/samba</code> directory. Machines that are in the workgroup -<code class="literal">ARTSDEPT</code> will be able to browse this server freely. -</p><div class="example"><a name="cdserver"></a><p class="title"><b>Example 34.2. CDROM Server smb-cdserver.conf file</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id437435"></a><em class="parameter"><code>workgroup = ARTSDEPT</code></em></td></tr><tr><td><a class="indexterm" name="id437447"></a><em class="parameter"><code>netbios name = CDSERVER</code></em></td></tr><tr><td><a class="indexterm" name="id437458"></a><em class="parameter"><code>map to guest = Bad User</code></em></td></tr><tr><td><a class="indexterm" name="id437470"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[carousel]</code></em></td></tr><tr><td><a class="indexterm" name="id437490"></a><em class="parameter"><code>comment = CDROM Share</code></em></td></tr><tr><td><a class="indexterm" name="id437502"></a><em class="parameter"><code>path = /export/cddata</code></em></td></tr><tr><td><a class="indexterm" name="id437513"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437525"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id437539"></a> -<a class="indexterm" name="id437546"></a> -<a class="indexterm" name="id437553"></a> -<a class="indexterm" name="id437560"></a> -The two servers have different resources and are in separate workgroups. The server <code class="literal">ELASTIC</code> -can only be accessed by uses who have an appropriate account on the host server. All users will be able to -access the CDROM data that is stored in the <code class="filename">/export/cddata</code> directory. File system -permissions should set so that the <code class="literal">others</code> user has read-only access to the directory and its -contents. The files can be owned by root (any user other than the nobody account). -</p></div><div class="sect2" title="Multiple Virtual Server Hosting"><div class="titlepage"><div><div><h3 class="title"><a name="id437590"></a>Multiple Virtual Server Hosting</h3></div></div></div><p> -<a class="indexterm" name="id437598"></a> -<a class="indexterm" name="id437605"></a> -<a class="indexterm" name="id437612"></a> -In this example, the requirement is for a primary domain controller for the domain called -<code class="literal">MIDEARTH</code>. The PDC will be called <code class="literal">MERLIN</code>. An extra machine called -<code class="literal">SAURON</code> is required. Each machine will have only its own shares. Both machines belong to the -same domain/workgroup. -</p><p> -<a class="indexterm" name="id437642"></a> -<a class="indexterm" name="id437648"></a> -<a class="indexterm" name="id437655"></a> -The master <code class="filename">smb.conf</code> file is shown in <a class="link" href="cfgsmarts.html#mastersmbc" title="Example 34.3. Master smb.conf File Global Section">the Master smb.conf File Global Section</a>. -The two files that specify the share information for each server are shown in <a class="link" href="cfgsmarts.html#merlinsmbc" title="Example 34.4. MERLIN smb-merlin.conf File Share Section">the -smb-merlin.conf File Share Section</a>, and <a class="link" href="cfgsmarts.html#sauronsmbc" title="Example 34.5. SAURON smb-sauron.conf File Share Section">the smb-sauron.conf File Share -Section</a>. All three files are locate in the <code class="filename">/etc/samba</code> directory. -</p><div class="example"><a name="mastersmbc"></a><p class="title"><b>Example 34.3. Master smb.conf File Global Section</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id437726"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id437738"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id437749"></a><em class="parameter"><code>netbios aliases = SAURON</code></em></td></tr><tr><td><a class="indexterm" name="id437761"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id437772"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id437784"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id437795"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id437807"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id437818"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id437830"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id437842"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id437854"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id437865"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id437877"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id437889"></a><em class="parameter"><code>logon script = scripts\login.bat</code></em></td></tr><tr><td><a class="indexterm" name="id437901"></a><em class="parameter"><code>logon path = </code></em></td></tr><tr><td><a class="indexterm" name="id437912"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id437924"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437935"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437947"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id437958"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id437970"></a><em class="parameter"><code>include = /etc/samba/smb-%L.conf</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="merlinsmbc"></a><p class="title"><b>Example 34.4. MERLIN smb-merlin.conf File Share Section</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id438010"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id438021"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id438042"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id438053"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id438065"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id438076"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id438096"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id438108"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id438119"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id438140"></a><em class="parameter"><code>comment = NETLOGON</code></em></td></tr><tr><td><a class="indexterm" name="id438151"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id438163"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id438174"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id438195"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id438206"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id438218"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id438229"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id438241"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sauronsmbc"></a><p class="title"><b>Example 34.5. SAURON smb-sauron.conf File Share Section</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id438280"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id438292"></a><em class="parameter"><code>netbios name = SAURON</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[www]</code></em></td></tr><tr><td><a class="indexterm" name="id438312"></a><em class="parameter"><code>comment = Web Pages</code></em></td></tr><tr><td><a class="indexterm" name="id438324"></a><em class="parameter"><code>path = /srv/www/htdocs</code></em></td></tr><tr><td><a class="indexterm" name="id438335"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="largefile.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 33. Handling Large Directories </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Migration and Updating</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html b/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html deleted file mode 100644 index 9606fd5462..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html +++ /dev/null @@ -1,287 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 46. LDAP and Transport Layer Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="speed.html" title="Chapter 45. Samba Performance Tuning"><link rel="next" href="ch47.html" title="Chapter 47. Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 46. LDAP and Transport Layer Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="ch47.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 46. LDAP and Transport Layer Security"><div class="titlepage"><div><div><h2 class="title"><a name="ch-ldap-tls"></a>Chapter 46. LDAP and Transport Layer Security</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gavin</span> <span class="surname">Henry</span></h3><div class="affiliation"><span class="orgname">Suretec Systems Limited, UK<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:ghenry@suretecsystems.com">ghenry@suretecsystems.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 8, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-intro-ldap-tls"></a>Introduction</h2></div></div></div><p> - <a class="indexterm" name="id452868"></a> -<a class="indexterm" name="id452877"></a> - Up until now, we have discussed the straightforward configuration of <span class="trademark">OpenLDAP</span>™, - with some advanced features such as ACLs. This does not however, deal with the fact that the network - transmissions are still in plain text. This is where <em class="firstterm">Transport Layer Security (TLS)</em> - comes in. - </p><p> -<a class="indexterm" name="id452898"></a> - <span class="trademark">OpenLDAP</span>™ clients and servers are capable of using the Transport Layer Security (TLS) - framework to provide integrity and confidentiality protections in accordance with <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC 2830</a>; <span class="emphasis"><em>Lightweight Directory Access Protocol (v3): - Extension for Transport Layer Security.</em></span> - </p><p> -<a class="indexterm" name="id452926"></a> - TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates - are optional. We will only be discussing server certificates. - </p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> -<a class="indexterm" name="id452938"></a> -<a class="indexterm" name="id452945"></a> -<a class="indexterm" name="id452951"></a> - The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the - server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the - <code class="option">subjectAltName</code> certificate extension. More details on server certificate names are in <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC2830</a>. - </p></div><p> - We will discuss this more in the next sections. - </p></div><div class="sect1" title="Configuring"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-config-ldap-tls"></a>Configuring</h2></div></div></div><p> - <a class="indexterm" name="id452988"></a> - Now on to the good bit. - </p><div class="sect2" title="Generating the Certificate Authority"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-certs"></a>Generating the Certificate Authority</h3></div></div></div><p> -<a class="indexterm" name="id453011"></a> - In order to create the relevant certificates, we need to become our own Certificate Authority (CA). - <sup>[<a name="id453021" href="#ftn.id453021" class="footnote">8</a>]</sup> This is necessary, so we can sign the server certificate. - </p><p> -<a class="indexterm" name="id453048"></a> - We will be using the <a class="ulink" href="http://www.openssl.org" target="_top">OpenSSL</a> <sup>[<a name="id453061" href="#ftn.id453061" class="footnote">9</a>]</sup> software for this, which is included with every great <span class="trademark">Linux</span>® distribution. - </p><p> - TLS is used for many types of servers, but the instructions<sup>[<a name="id453077" href="#ftn.id453077" class="footnote">10</a>]</sup> presented here, are tailored for <span class="application">OpenLDAP</span>. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - The <span class="emphasis"><em>Common Name (CN)</em></span>, in the following example, <span class="emphasis"><em>MUST</em></span> be - the fully qualified domain name (FQDN) of your ldap server. - </p></div><p> - First we need to generate the CA: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> mkdir myCA -</code> -</pre><p> - Move into that directory: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> cd myCA -</code> -</pre><p> - Now generate the CA:<sup>[<a name="id453149" href="#ftn.id453149" class="footnote">11</a>]</sup> -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -newca -CA certificate filename (or enter to create) - -Making CA certificate ... -Generating a 1024 bit RSA private key -.......................++++++ -.............................++++++ -writing new private key to './demoCA/private/cakey.pem' -Enter PEM pass phrase: -Verifying - Enter PEM pass phrase: ------ -You are about to be asked to enter information that will be incorporated -into your certificate request. -What you are about to enter is what is called a Distinguished Name or a DN. -There are quite a few fields but you can leave some blank -For some fields there will be a default value, -If you enter '.', the field will be left blank. ------ -Country Name (2 letter code) [AU]:AU -State or Province Name (full name) [Some-State]:NSW -Locality Name (eg, city) []:Sydney -Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas -Organizational Unit Name (eg, section) []:IT -Common Name (eg, YOUR name) []:ldap.abmas.biz -Email Address []:support@abmas.biz -</code> -</pre><p> - </p><p> - There are some things to note here. - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - You <span class="emphasis"><em>MUST</em></span> remember the password, as we will need - it to sign the server certificate.. - </p></li><li class="listitem"><p> - The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be the - fully qualified domain name (FQDN) of your ldap server. - </p></li></ol></div></div><div class="sect2" title="Generating the Server Certificate"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-server"></a>Generating the Server Certificate</h3></div></div></div><p> - Now we need to generate the server certificate: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> openssl req -new -nodes -keyout newreq.pem -out newreq.pem -Generating a 1024 bit RSA private key -.............++++++ -........................................................++++++ -writing new private key to 'newreq.pem' ------ -You are about to be asked to enter information that will be incorporated -into your certificate request. -What you are about to enter is what is called a Distinguished Name or a DN. -There are quite a few fields but you can leave some blank -For some fields there will be a default value, -If you enter '.', the field will be left blank. ------ -Country Name (2 letter code) [AU]:AU -State or Province Name (full name) [Some-State]:NSW -Locality Name (eg, city) []:Sydney -Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas -Organizational Unit Name (eg, section) []:IT -Common Name (eg, YOUR name) []:ldap.abmas.biz -Email Address []:support@abmas.biz - -Please enter the following 'extra' attributes -to be sent with your certificate request -A challenge password []: -An optional company name []: -</code> -</pre><p> - </p><p> - Again, there are some things to note here. - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - You should <span class="emphasis"><em>NOT</em></span> enter a password. - </p></li><li class="listitem"><p> - The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be - the fully qualified domain name (FQDN) of your ldap server. - </p></li></ol></div><p> - Now we sign the certificate with the new CA: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -sign -Using configuration from /etc/ssl/openssl.cnf -Enter pass phrase for ./demoCA/private/cakey.pem: -Check that the request matches the signature -Signature ok -Certificate Details: -Serial Number: 1 (0x1) -Validity - Not Before: Mar 6 18:22:26 2005 EDT - Not After : Mar 6 18:22:26 2006 EDT -Subject: - countryName = AU - stateOrProvinceName = NSW - localityName = Sydney - organizationName = Abmas - organizationalUnitName = IT - commonName = ldap.abmas.biz - emailAddress = support@abmas.biz -X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE - X509v3 Authority Key Identifier: - keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC - DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/ - CN=ldap.abmas.biz/emailAddress=support@abmas.biz - serial:00 - -Certificate is to be certified until Mar 6 18:22:26 2006 EDT (365 days) -Sign the certificate? [y/n]:y - - -1 out of 1 certificate requests certified, commit? [y/n]y -Write out database with 1 new entries -Data Base Updated -Signed certificate is in newcert.pem -</code> -</pre><p> - </p><p> - That completes the server certificate generation. - </p></div><div class="sect2" title="Installing the Certificates"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-install"></a>Installing the Certificates</h3></div></div></div><p> - Now we need to copy the certificates to the right configuration directories, - rename them at the same time (for convenience), change the ownership and - finally the permissions: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> cp demoCA/cacert.pem /etc/openldap/ -<code class="prompt">root# </code> cp newcert.pem /etc/openldap/servercrt.pem -<code class="prompt">root# </code> cp newreq.pem /etc/openldap/serverkey.pem -<code class="prompt">root# </code> chown ldap.ldap /etc/openldap/*.pem -<code class="prompt">root# </code> chmod 640 /etc/openldap/cacert.pem; -<code class="prompt">root# </code> chmod 600 /etc/openldap/serverkey.pem -</code> -</pre><p> - </p><p> - Now we just need to add these locations to <code class="filename">slapd.conf</code>, - anywhere before the <code class="option">database</code> declaration as shown here: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -TLSCertificateFile /etc/openldap/servercrt.pem -TLSCertificateKeyFile /etc/openldap/serverkey.pem -TLSCACertificateFile /etc/openldap/cacert.pem -</code> -</pre><p> - </p><p> - Here is the declaration and <code class="filename">ldap.conf</code>: -<code class="filename">ldap.conf</code> -</p><pre class="screen" width="90"> -<code class="computeroutput"> -TLS_CACERT /etc/openldap/cacert.pem -</code> -</pre><p> - </p><p> - That's all there is to it. Now on to <a class="xref" href="ch-ldap-tls.html#s1-test-ldap-tls" title="Testing">the section called “Testing”</a> - </p></div></div><div class="sect1" title="Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-test-ldap-tls"></a>Testing</h2></div></div></div><p> -<a class="indexterm" name="id453514"></a> -This is the easy part. Restart the server: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> /etc/init.d/ldap restart -Stopping slapd: [ OK ] -Checking configuration files for slapd: config file testing succeeded -Starting slapd: [ OK ] -</code> -</pre><p> - Then, using <code class="literal">ldapsearch</code>, test an anonymous search with the - <code class="option">-ZZ</code><sup>[<a name="id453553" href="#ftn.id453553" class="footnote">12</a>]</sup> option: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ - -H 'ldap://ldap.abmas.biz:389' -ZZ -</code> -</pre><p> - Your results should be the same as before you restarted the server, for example: -</p><pre class="screen" width="90"> -<code class="computeroutput"> -<code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ - -H 'ldap://ldap.abmas.biz:389' -ZZ - -# extended LDIF -# -# LDAPv3 -# base <> with scope sub -# filter: (objectclass=*) -# requesting: ALL -# - -# abmas.biz -dn: dc=ldap,dc=abmas,dc=biz -objectClass: dcObject -objectClass: organization -o: Abmas -dc: abmas - -# Manager, ldap.abmas.biz -dn: cn=Manager,dc=ldap,dc=abmas,dc=biz -objectClass: organizationalRole -cn: Manager - -# ABMAS, abmas.biz -dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz -sambaDomainName: ABMAS -sambaSID: S-1-5-21-238355452-1056757430-1592208922 -sambaAlgorithmicRidBase: 1000 -objectClass: sambaDomain -sambaNextUserRid: 67109862 -sambaNextGroupRid: 67109863 -</code> -</pre><p> - If you have any problems, please read <a class="xref" href="ch-ldap-tls.html#s1-int-ldap-tls" title="Troubleshooting">the section called “Troubleshooting”</a> -</p></div><div class="sect1" title="Troubleshooting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-int-ldap-tls"></a>Troubleshooting</h2></div></div></div><p> -<a class="indexterm" name="id453635"></a> -The most common error when configuring TLS, as I have already mentioned numerous times, is that the -<span class="emphasis"><em>Common Name (CN)</em></span> you entered in <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-server" title="Generating the Server Certificate">the section called “Generating the Server Certificate”</a> is -<span class="emphasis"><em>NOT</em></span> the Fully Qualified Domain Name (FQDN) of your ldap server. -</p><p> -Other errors could be that you have a typo somewhere in your <code class="literal">ldapsearch</code> command, or that -your have the wrong permissions on the <code class="filename">servercrt.pem</code> and <code class="filename">cacert.pem</code> -files. They should be set with <code class="literal">chmod 640</code>, as per <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-install" title="Installing the Certificates">the section called “Installing the Certificates”</a>. -</p><p> -For anything else, it's best to read through your ldap logfile or join the <span class="application">OpenLDAP</span> mailing list. -</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id453021" href="#id453021" class="para">8</a>] </sup>We could however, get our generated server certificate signed by proper CAs, like <a class="ulink" href="http://www.thawte.com/" target="_top">Thawte</a> and <a class="ulink" href="http://www.verisign.com/" target="_top">VeriSign</a>, which - you pay for, or the free ones, via <a class="ulink" href="http://www.cacert.org/" target="_top">CAcert</a> - </p></div><div class="footnote"><p><sup>[<a name="ftn.id453061" href="#id453061" class="para">9</a>] </sup>The downside to - making our own CA, is that the certificate is not automatically recognized by clients, like the commercial - ones are.</p></div><div class="footnote"><p><sup>[<a name="ftn.id453077" href="#id453077" class="para">10</a>] </sup>For information straight from the - horse's mouth, please visit <a class="ulink" href="http://www.openssl.org/docs/HOWTO/" target="_top">http://www.openssl.org/docs/HOWTO/</a>; the main OpenSSL - site.</p></div><div class="footnote"><p><sup>[<a name="ftn.id453149" href="#id453149" class="para">11</a>] </sup>Your <code class="filename">CA.pl</code> or <code class="filename">CA.sh</code> might not be - in the same location as mine is, you can find it by using the <code class="literal">locate</code> command, i.e., - <code class="literal">locate CA.pl</code>. If the command complains about the database being too old, run - <code class="literal">updatedb</code> as <span class="emphasis"><em>root</em></span> to update it.</p></div><div class="footnote"><p><sup>[<a name="ftn.id453553" href="#id453553" class="para">12</a>] </sup>See <code class="literal">man ldapsearch</code></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch47.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 45. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 47. Samba Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ch47.html b/docs/htmldocs/Samba3-HOWTO/ch47.html deleted file mode 100644 index 01e1795bc9..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/ch47.html +++ /dev/null @@ -1,106 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 47. Samba Support</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="ch-ldap-tls.html" title="Chapter 46. LDAP and Transport Layer Security"><link rel="next" href="DNSDHCP.html" title="Chapter 48. DNS and DHCP Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 47. Samba Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch-ldap-tls.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr></table><hr></div><div lang="en-US" class="chapter" title="Chapter 47. Samba Support"><div class="titlepage"><div><div><h2 class="title"><a name="id453711"></a>Chapter 47. Samba Support</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch47.html#id453826">Free Support</a></span></dt><dt><span class="sect1"><a href="ch47.html#id454025">Commercial Support</a></span></dt></dl></div><p> -<a class="indexterm" name="id453720"></a> -One of the most difficult to answer questions in the information technology industry is, <span class="quote">“<span class="quote">What is -support?</span>”</span>. That question irritates some folks, as much as common answers may annoy others. -</p><p> -<a class="indexterm" name="id453735"></a> -The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to -an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: -<span class="quote">“<span class="quote">Oh, Linux? We do not support Linux!</span>”</span>. It has happened to me, and similar situations happen -through-out the IT industry. Answers like that are designed to inform us that there are some customers -that a business just does not want to deal with, and well may we feel the anguish of the rejection that -is dished out. -</p><p> -One way to consider support is to view it as consisting of the right answer, in the right place, -at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, -inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk. -</p><p> -<a class="indexterm" name="id453759"></a> -<a class="indexterm" name="id453765"></a> -<a class="indexterm" name="id453772"></a> -One of the forces that has become a driving force for the adoption of open source software is the fact that -many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or -that have been found wanting for other reasons. -</p><p> -<a class="indexterm" name="id453785"></a> -<a class="indexterm" name="id453791"></a> -In recognition of the need for needs satisfaction as the primary experience an information technology user or -consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience -in respect of problem resolution. -</p><p> -<a class="indexterm" name="id453804"></a> -<a class="indexterm" name="id453810"></a> -<a class="indexterm" name="id453817"></a> -In the open source software arena there are two support options: free support and paid-for (commercial) -support. -</p><div class="sect1" title="Free Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id453826"></a>Free Support</h2></div></div></div><p> -<a class="indexterm" name="id453834"></a> -<a class="indexterm" name="id453841"></a> -<a class="indexterm" name="id453848"></a> -<a class="indexterm" name="id453854"></a> -<a class="indexterm" name="id453861"></a> -<a class="indexterm" name="id453868"></a> - Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help - facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user - supported mutual assistance. - </p><p> -<a class="indexterm" name="id453880"></a> -<a class="indexterm" name="id453887"></a> -<a class="indexterm" name="id453894"></a> -<a class="indexterm" name="id453900"></a> -<a class="indexterm" name="id453907"></a> - The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. - Information regarding subscription to the Samba mailing list can be found on the Samba <a class="ulink" href="https://lists.samba.org/mailman/" target="_top">web</a> site. The public mailing list that can be used to obtain - free, user contributed, support is called the <code class="literal">samba</code> list. The email address for this list - is at <code class="literal">mail:samba@samba.org</code>. Information regarding the Samba IRC channels may be found on - the Samba <a class="ulink" href="http://www.samba.org/samba.irc.html" target="_top">IRC</a> web page. - </p><p> -<a class="indexterm" name="id453944"></a> -<a class="indexterm" name="id453951"></a> -<a class="indexterm" name="id453958"></a> -<a class="indexterm" name="id453965"></a> - As a general rule, it is considered poor net behavior to contact a Samba Team member directly - for free support. Most active members of the Samba Team work exceptionally long hours to assist - users who have demonstrated a qualified problem. Some team members may respond to direct email - or telephone contact, with requests for assistance, by requesting payment. A few of the Samba - Team members actually provide professional paid-for Samba support and it is therefore wise - to show appropriate discretion and reservation in all direct contact. - </p><p> -<a class="indexterm" name="id453980"></a> -<a class="indexterm" name="id453986"></a> -<a class="indexterm" name="id453993"></a> - When you stumble across a Samba bug, often the quickest way to get it resolved is by posting - a bug <a class="ulink" href="https://bugzilla.samba.org/" target="_top">report</a>. All such reports are mailed to - the responsible code maintainer for action. The better the report, and the more serious it is, - the sooner it will be dealt with. On the other hand, if the responsible person can not duplicate - the reported bug it is likely to be rejected. It is up to you to provide sufficient information - that will permit the problem to be reproduced. - </p><p> -<a class="indexterm" name="id454013"></a> - We all recognize that sometimes free support does not provide the answer that is sought within - the time-frame required. At other times the problem is elusive and you may lack the experience - necessary to isolate the problem and thus to resolve it. This is a situation where is may be - prudent to purchase paid-for support. - </p></div><div class="sect1" title="Commercial Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id454025"></a>Commercial Support</h2></div></div></div><p> - There are six basic support oriented services that are most commonly sought by Samba sites: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Assistance with network design</p></li><li class="listitem"><p>Staff Training</p></li><li class="listitem"><p>Assistance with Samba network deployment and installation</p></li><li class="listitem"><p>Priority telephone or email Samba configuration assistance</p></li><li class="listitem"><p>Trouble-shooting and diagnostic assistance</p></li><li class="listitem"><p>Provision of quality assured ready-to-install Samba binary packages</p></li></ul></div><p> -<a class="indexterm" name="id454069"></a> -<a class="indexterm" name="id454076"></a> - Information regarding companies that provide professional Samba support can be obtained by performing a Google - search, as well as by reference to the Samba <a class="ulink" href="http://www.samba.org/samba/support.html" target="_top">Support</a> web page. Companies who notify the Samba Team - that they provide commercial support are given a free listing that is sorted by the country of origin. - Multiple listings are permitted, however no guarantee is offered. It is left to you to qualify a support - provider and to satisfy yourself that both the company and its staff are able to deliver what is required of - them. - </p><p> -<a class="indexterm" name="id454096"></a> - The policy within the Samba Team is to treat all commercial support providers equally and to show no - preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. - You are encouraged to obtain the services needed from a company in your local area. The open source movement - is pro-community; so do what you can to help a local business to prosper. - </p><p> -<a class="indexterm" name="id454113"></a> - Open source software support can be found in any quality, at any price and in any place you can - to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for - suffering in the mistaken belief that Samba is unsupported software it is supported. - </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch-ldap-tls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 46. LDAP and Transport Layer Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 48. DNS and DHCP Configuration Guide</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/classicalprinting.html b/docs/htmldocs/Samba3-HOWTO/classicalprinting.html deleted file mode 100644 index 81bd562432..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/classicalprinting.html +++ /dev/null @@ -1,2048 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Classical Printing Support</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"><link rel="next" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Classical Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 21. Classical Printing Support"><div class="titlepage"><div><div><h2 class="title"><a name="classicalprinting"></a>Chapter 21. Classical Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname">Danka Deutschland GmbH<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="classicalprinting.html#id389000">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id389202">Technical Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id389339">Client to Samba Print Job Processing</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id389393">Printing-Related Configuration Parameters</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id389487">Simple Print Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id389756">Verifying Configuration with <code class="literal">testparm</code></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id389939">Rapid Configuration Validation</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id390291">Extended Printing Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id390731">Detailed Explanation Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393519">Creating the [print$] Share</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id394019">The [print$] Share Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id394148">Installing Drivers into [print$]</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id394232">Add Printer Wizard Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#inst-rpc">Installing Print Drivers Using <code class="literal">rpcclient</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id395921">Client Driver Installation Procedure</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id395936">First Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id396442">Additional Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id396553">Always Make First Client Connection as root or <span class="quote">“<span class="quote">printer admin</span>”</span></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id396711">Other Gotchas</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id396728">Setting Default Print Options for Client Drivers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397064">Supporting Large Numbers of Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397300">Adding New Printers with the Windows NT APW</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397538">Error Message: <span class="quote">“<span class="quote">Cannot connect under a different Name</span>”</span></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397636">Take Care When Assembling Driver Files</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397860">Samba and Printer Ports</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397959">Avoiding Common Client Driver Misconfiguration</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id397992">The Imprints Toolset</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398030">What Is Imprints?</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398060">Creating Printer Driver Packages</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398072">The Imprints Server</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398086">The Installation Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id398202">Adding Network Printers without User Interaction</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398444">The <code class="literal">addprinter</code> Command</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398477">Migration of Classical Printing to Samba</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398608">Publishing Printer Information in Active Directory or LDAP</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398635">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398641">I Give My Root Password but I Do Not Get Access</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398678">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389000"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id389008"></a> -Printing is often a mission-critical service for the users. Samba can provide this service reliably and -seamlessly for a client network consisting of Windows workstations. -</p><p> -<a class="indexterm" name="id389019"></a> -<a class="indexterm" name="id389026"></a> -<a class="indexterm" name="id389033"></a> -<a class="indexterm" name="id389040"></a> -<a class="indexterm" name="id389046"></a> -<a class="indexterm" name="id389053"></a> -<a class="indexterm" name="id389060"></a> -<a class="indexterm" name="id389067"></a> -<a class="indexterm" name="id389074"></a> -<a class="indexterm" name="id389080"></a> -<a class="indexterm" name="id389087"></a> -<a class="indexterm" name="id389094"></a> -<a class="indexterm" name="id389101"></a> -<a class="indexterm" name="id389108"></a> -A Samba print service may be run on a standalone or domain member server, side by side with file serving -functions, or on a dedicated print server. It can be made as tightly or as loosely secured as needs dictate. -Configurations may be simple or complex. Available authentication schemes are essentially the same as -described for file services in previous chapters. Overall, Samba's printing support is now able to replace an -NT or Windows 2000 print server full-square, with additional benefits in many cases. Clients may download and -install drivers and printers through their familiar <code class="literal">Point'n'Print</code> mechanism. Printer -installations executed by <code class="literal">Logon Scripts</code> are no problem. Administrators can upload and manage -drivers to be used by clients through the familiar <code class="literal">Add Printer Wizard</code>. As an additional -benefit, driver and printer management may be run from the command line or through scripts, making it more -efficient in case of large numbers of printers. If a central accounting of print jobs (tracking every single -page and supplying the raw data for all sorts of statistical reports) is required, this function is best -supported by the newer Common UNIX Printing System (CUPS) as the print subsystem underneath the Samba hood. -</p><p> -<a class="indexterm" name="id389148"></a> -<a class="indexterm" name="id389154"></a> -This chapter outlines the fundamentals of Samba printing as implemented by the more traditional UNIX -BSD- and System V-style printing systems. Much of the information in this chapter applies also to CUPS. If -you use CUPS, you may be tempted to jump to the next chapter, but you will certainly miss a few things if you -do. For further information refer to <a class="link" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id389176"></a> -<a class="indexterm" name="id389183"></a> -<a class="indexterm" name="id389190"></a> -Most of the following examples have been verified on Windows XP Professional clients. Where this document -describes the responses to commands given, bear in mind that Windows 200x/XP clients are quite similar but may -differ in minor details. Windows NT4 is somewhat different again. -</p></div></div><div class="sect1" title="Technical Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389202"></a>Technical Introduction</h2></div></div></div><p> -<a class="indexterm" name="id389210"></a> -<a class="indexterm" name="id389217"></a> -<a class="indexterm" name="id389224"></a> -Samba's printing support always relies on the installed print subsystem of the UNIX OS it runs on. Samba is a -<code class="literal">middleman.</code> It takes print files from Windows (or other SMB) clients and passes them to the real -printing system for further processing; therefore, it needs to communicate with both sides: the Windows print -clients and the UNIX printing system. Hence, we must differentiate between the various client OS types, each -of which behave differently, as well as the various UNIX print subsystems, which themselves have different -features and are accessed differently. -</p><p> -<a class="indexterm" name="id389244"></a> -<a class="indexterm" name="id389251"></a> -This chapter deals with the traditional way of UNIX printing. The next chapter covers in great detail the more -modern CUPS. -</p><div class="important" title="Important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> -<a class="indexterm" name="id389263"></a> -CUPS users, be warned: do not just jump on to the next chapter. You might miss important information only found here! -</p></div><p> -<a class="indexterm" name="id389274"></a> -<a class="indexterm" name="id389281"></a> -<a class="indexterm" name="id389288"></a> -<a class="indexterm" name="id389295"></a> -It is apparent from postings on the Samba mailing list that print configuration is one of the most problematic -aspects of Samba administration today. Many new Samba administrators have the impression that Samba performs -some sort of print processing. Rest assured, Samba does not perform any type of print processing. It does not -do any form of print filtering. -</p><p> -<a class="indexterm" name="id389308"></a> -<a class="indexterm" name="id389315"></a> -<a class="indexterm" name="id389322"></a> -<a class="indexterm" name="id389328"></a> -Samba obtains from its clients a data stream (print job) that it spools to a local spool area. When the entire -print job has been received, Samba invokes a local UNIX/Linux print command and passes the spooled file to it. -It is up to the local system printing subsystems to correctly process the print job and to submit it to the -printer. -</p><div class="sect2" title="Client to Samba Print Job Processing"><div class="titlepage"><div><div><h3 class="title"><a name="id389339"></a>Client to Samba Print Job Processing</h3></div></div></div><p> -Successful printing from a Windows client via a Samba print server to a UNIX -printer involves six (potentially seven) stages: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Windows opens a connection to the printer share.</p></li><li class="listitem"><p>Samba must authenticate the user.</p></li><li class="listitem"><p>Windows sends a copy of the print file over the network - into Samba's spooling area.</p></li><li class="listitem"><p>Windows closes the connection.</p></li><li class="listitem"><p>Samba invokes the print command to hand the file over - to the UNIX print subsystem's spooling area.</p></li><li class="listitem"><p>The UNIX print subsystem processes the print job.</p></li><li class="listitem"><p>The print file may need to be explicitly deleted - from the Samba spooling area. This item depends on your print spooler - configuration settings.</p></li></ol></div></div><div class="sect2" title="Printing-Related Configuration Parameters"><div class="titlepage"><div><div><h3 class="title"><a name="id389393"></a>Printing-Related Configuration Parameters</h3></div></div></div><p> -<a class="indexterm" name="id389401"></a> -<a class="indexterm" name="id389408"></a> -<a class="indexterm" name="id389415"></a> -There are a number of configuration parameters to control Samba's printing behavior. Please refer to the man -page for <code class="filename">smb.conf</code> for an overview of these. As with other parameters, there are global-level (tagged with a -<span class="emphasis"><em>G</em></span> in the listings) and service-level (<span class="emphasis"><em>S</em></span>) parameters. -</p><div class="variablelist"><dl><dt><span class="term">Global Parameters</span></dt><dd><p> These <span class="emphasis"><em>may not</em></span> go into - individual share definitions. If they go in by error, - the <code class="literal">testparm</code> utility can discover this - (if you run it) and tell you so. - </p></dd><dt><span class="term">Service-Level Parameters</span></dt><dd><p> These may be specified in the - <em class="parameter"><code>[global]</code></em> section of <code class="filename">smb.conf</code>. - In this case they define the default behavior of all individual - or service-level shares (provided they do not have a different - setting defined for the same parameter, thus overriding the - global default). - </p></dd></dl></div></div></div><div class="sect1" title="Simple Print Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389487"></a>Simple Print Configuration</h2></div></div></div><p> -<a class="indexterm" name="id389495"></a> -<a class="indexterm" name="id389502"></a> -<a class="indexterm" name="id389509"></a> -<a class="indexterm" name="id389516"></a> -<a class="link" href="classicalprinting.html#simpleprc" title="Example 21.1. Simple Configuration with BSD Printing">Simple Configuration with BSD Printing</a> shows a simple printing configuration. -If you compare this with your own, you may find additional parameters that have been preconfigured by your OS -vendor. Following is a discussion and explanation of the parameters. This example does not use many -parameters. However, in many environments these are enough to provide a valid <code class="filename">smb.conf</code> file that enables -all clients to print. -</p><div class="example"><a name="simpleprc"></a><p class="title"><b>Example 21.1. Simple Configuration with BSD Printing</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id389563"></a><em class="parameter"><code>printing = bsd</code></em></td></tr><tr><td><a class="indexterm" name="id389575"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id389595"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id389607"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id389618"></a><em class="parameter"><code>public = yes</code></em></td></tr><tr><td><a class="indexterm" name="id389630"></a><em class="parameter"><code>writable = no</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id389644"></a> -<a class="indexterm" name="id389651"></a> -<a class="indexterm" name="id389658"></a> -This is only an example configuration. Samba assigns default values to all configuration parameters. The -defaults are conservative and sensible. When a parameter is specified in the <code class="filename">smb.conf</code> file, this overwrites -the default value. The <code class="literal">testparm</code> utility when run as root is capable of reporting all -settings, both default as well as <code class="filename">smb.conf</code> file settings. <code class="literal">Testparm</code> gives warnings for all -misconfigured settings. The complete output is easily 360 lines and more, so you may want to pipe it through a -pager program. -</p><p> -<a class="indexterm" name="id389696"></a> -<a class="indexterm" name="id389703"></a> -<a class="indexterm" name="id389710"></a> -The syntax for the configuration file is easy to grasp. You should know that is not very picky about its -syntax. As has been explained elsewhere in this book, Samba tolerates some spelling errors (such as -<a class="link" href="smb.conf.5.html#BROWSEABLE" target="_top">browseable</a> instead of <a class="link" href="smb.conf.5.html#BROWSABLE" target="_top">browsable</a>), and spelling is -case-insensitive. It is permissible to use <em class="parameter"><code>Yes/No</code></em> or <em class="parameter"><code>True/False</code></em> -for Boolean settings. Lists of names may be separated by commas, spaces, or tabs. -</p><div class="sect2" title="Verifying Configuration with testparm"><div class="titlepage"><div><div><h3 class="title"><a name="id389756"></a>Verifying Configuration with <code class="literal">testparm</code></h3></div></div></div><p> -<a class="indexterm" name="id389768"></a> -<a class="indexterm" name="id389775"></a> -<a class="indexterm" name="id389782"></a> -<a class="indexterm" name="id389789"></a> -<a class="indexterm" name="id389795"></a> -<a class="indexterm" name="id389802"></a> -<a class="indexterm" name="id389809"></a> -<a class="indexterm" name="id389816"></a> -<a class="indexterm" name="id389823"></a> -<a class="indexterm" name="id389829"></a> -<a class="indexterm" name="id389836"></a> -To see all (or at least most) printing-related settings in Samba, including the implicitly used ones, try the -command outlined below. This command greps for all occurrences of <code class="constant">lp</code>, -<code class="constant">print</code>, <code class="constant">spool</code>, <code class="constant">driver</code>, -<code class="constant">ports</code>, and <code class="constant">[</code> in <code class="literal">testparm</code>'s output. This provides -a convenient overview of the running <code class="literal">smbd</code> print configuration. This command does not show -individually created printer shares or the spooling paths they may use. Here is the output of my Samba setup, -with settings shown in <a class="link" href="classicalprinting.html#simpleprc" title="Example 21.1. Simple Configuration with BSD Printing">the example above</a>: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>testparm -s -v | egrep "(lp|print|spool|driver|ports|\[)"</code></strong> - Load smb config files from /etc/samba/smb.conf - Processing section "[homes]" - Processing section "[printers]" - - [global] - smb ports = 139 445 - lpq cache time = 10 - load printers = Yes - printcap name = /etc/printcap - disable spoolss = No - enumports command = - addprinter command = - deleteprinter command = - show add printer wizard = Yes - os2 driver map = - printer admin = - min print space = 0 - max print jobs = 1000 - printable = No - printing = bsd - print command = lpr -r -P'%p' %s - lpq command = lpq -P'%p' - lprm command = lprm -P'%p' %j - lppause command = - lpresume command = - printer name = - use client driver = No - - [homes] - - [printers] - path = /var/spool/samba - printable = Yes -</pre><p> -</p><p> -You can easily verify which settings were implicitly added by Samba's default behavior. <span class="emphasis"><em>Remember: it -may be important in your future dealings with Samba.</em></span> -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The <code class="literal">testparm</code> in Samba-3 behaves differently from that in 2.2.x: used without the -<span class="quote">“<span class="quote">-v</span>”</span> switch, it only shows you the settings actually written into! To see the complete -configuration used, add the <span class="quote">“<span class="quote">-v</span>”</span> parameter to testparm. -</p></div></div><div class="sect2" title="Rapid Configuration Validation"><div class="titlepage"><div><div><h3 class="title"><a name="id389939"></a>Rapid Configuration Validation</h3></div></div></div><p> -<a class="indexterm" name="id389947"></a> -<a class="indexterm" name="id389954"></a> -<a class="indexterm" name="id389960"></a> -<a class="indexterm" name="id389967"></a> -Should you need to troubleshoot at any stage, please always come back to this point first and verify if -<code class="literal">testparm</code> shows the parameters you expect. To give you a warning from personal experience, -try to just comment out the <a class="link" href="smb.conf.5.html#LOADPRINTERS" target="_top">load printers</a> parameter. If your 2.2.x system behaves like -mine, you'll see this: -</p><pre class="screen"> -<code class="prompt">root# </code>grep "load printers" /etc/samba/smb.conf - # load printers = Yes - # This setting is commented out!! - -<code class="prompt">root# </code>testparm -v /etc/samba/smb.conf | egrep "(load printers)" - load printers = Yes -</pre><p> -<a class="indexterm" name="id390017"></a> -<a class="indexterm" name="id390024"></a> -I assumed that commenting out of this setting should prevent Samba from -publishing my printers, but it still did. It took some time to figure out -the reason. But I am no longer fooled ... at least not by this. -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>grep -A1 "load printers" /etc/samba/smb.conf</code></strong> - load printers = No - # The above setting is what I want! - # load printers = Yes - # This setting is commented out! - -<code class="prompt">root# </code><strong class="userinput"><code>testparm -s -v smb.conf.simpleprinting | egrep "(load printers)"</code></strong> - load printers = No -</pre><p> -<a class="indexterm" name="id390063"></a> -Only when the parameter is explicitly set to <a class="link" href="smb.conf.5.html#LOADPRINTERS" target="_top">load printers = No</a> would -Samba conform with my intentions. So, my strong advice is: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Never rely on commented-out parameters.</p></li><li class="listitem"><p>Always set parameters explicitly as you intend them to - behave.</p></li><li class="listitem"><p>Use <code class="literal">testparm</code> to uncover hidden - settings that might not reflect your intentions.</p></li></ul></div><p> -The following is the most minimal configuration file: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cat /etc/samba/smb.conf-minimal</code></strong> - [printers] -</pre><p> -<a class="indexterm" name="id390128"></a> -<a class="indexterm" name="id390135"></a> -This example should show that you can use <code class="literal">testparm</code> to test any Samba configuration file. -Actually, we encourage you <span class="emphasis"><em>not</em></span> to change your working system (unless you know exactly -what you are doing). Don't rely on the assumption that changes will only take effect after you restart smbd! -This is not the case. Samba rereads it every 60 seconds and on each new client connection. You might have to -face changes for your production clients that you didn't intend to apply. You will now note a few more -interesting things; <code class="literal">testparm</code> is useful to identify what the Samba print configuration would -be if you used this minimalistic configuration. Here is what you can expect to find: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>testparm -v smb.conf-minimal | egrep "(print|lpq|spool|driver|ports|[)"</code></strong> - Processing section "[printers]" - WARNING: [printers] service MUST be printable! - No path in service printers - using /tmp - - lpq cache time = 10 - load printers = Yes - printcap name = /etc/printcap - disable spoolss = No - enumports command = - addprinter command = - deleteprinter command = - show add printer wizard = Yes - os2 driver map = - printer admin = - min print space = 0 - max print jobs = 1000 - printable = No - printing = bsd - print command = lpr -r -P%p %s - lpq command = lpq -P%p - printer name = - use client driver = No - - [printers] - printable = Yes -</pre><p> -<code class="literal">testparm</code> issued two warnings: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>We did not specify the <em class="parameter"><code>[printers]</code></em> section as printable.</p></li><li class="listitem"><p>We did not tell Samba which spool directory to use.</p></li></ul></div><p> -<a class="indexterm" name="id390214"></a> -<a class="indexterm" name="id390221"></a> -<a class="indexterm" name="id390227"></a> -<a class="indexterm" name="id390232"></a> -However, this was not fatal, and Samba will default to values that will work. Please, do not rely on this and -do not use this example. This was included to encourage you to be careful to design and specify your setup to -do precisely what you require. The outcome on your system may vary for some parameters given, since Samba may -have been built with different compile-time options. <span class="emphasis"><em>Warning:</em></span> do not put a comment sign -<span class="emphasis"><em>at the end</em></span> of a valid line. It will cause the parameter to be ignored (just as if you had -put the comment sign at the front). At first I regarded this as a bug in my Samba versions. But the man page -clearly says: <code class="literal">Internal whitespace in a parameter value is retained verbatim.</code> This means -that a line consisting of, for example, -</p><table border="0" summary="Simple list" class="simplelist"><tr><td># This defines LPRng as the printing system</td></tr><tr><td><a class="indexterm" name="id390266"></a><em class="parameter"><code>printing = lprng</code></em></td></tr></table><p> -</p><p> -will regard the whole of the string after the <code class="literal">=</code> sign as the value you want to define. This -is an invalid value that will be ignored, and a default value will be used in its place. -</p></div></div><div class="sect1" title="Extended Printing Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id390291"></a>Extended Printing Configuration</h2></div></div></div><p> -<a class="indexterm" name="id390299"></a> -<a class="indexterm" name="id390306"></a> -<a class="indexterm" name="id390313"></a> -<a class="indexterm" name="id390319"></a> -<a class="link" href="classicalprinting.html#extbsdpr" title="Example 21.2. Extended BSD Printing Configuration">Extended BSD Printing Configuration</a> shows a more verbose configuration for -print-related settings in a BSD-style printing environment. What follows is a discussion and explanation of -the various parameters. We chose to use BSD-style printing here because it is still the most commonly used -system on legacy UNIX/Linux installations. New installations predominantly use CUPS, which is discussed in a -separate chapter. The example explicitly names many parameters that do not need to be specified because they -are set by default. You could use a much leaner <code class="filename">smb.conf</code> file, or you can use <code class="literal">testparm</code> or -<code class="literal">SWAT</code> to optimize the <code class="filename">smb.conf</code> file to remove all parameters that are set at default. -</p><div class="example"><a name="extbsdpr"></a><p class="title"><b>Example 21.2. Extended BSD Printing Configuration</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id390388"></a><em class="parameter"><code>printing = bsd</code></em></td></tr><tr><td><a class="indexterm" name="id390399"></a><em class="parameter"><code>load printers = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390411"></a><em class="parameter"><code>show add printer wizard = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390422"></a><em class="parameter"><code>printcap name = /etc/printcap</code></em></td></tr><tr><td><a class="indexterm" name="id390434"></a><em class="parameter"><code>printer admin = @ntadmin, root</code></em></td></tr><tr><td><a class="indexterm" name="id390445"></a><em class="parameter"><code>max print jobs = 100</code></em></td></tr><tr><td><a class="indexterm" name="id390457"></a><em class="parameter"><code>lpq cache time = 20</code></em></td></tr><tr><td><a class="indexterm" name="id390468"></a><em class="parameter"><code>use client driver = no</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id390489"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id390500"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390512"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id390523"></a><em class="parameter"><code>browseable = no</code></em></td></tr><tr><td><a class="indexterm" name="id390535"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390546"></a><em class="parameter"><code>public = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390558"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390569"></a><em class="parameter"><code>writable = no </code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[my_printer_name]</code></em></td></tr><tr><td><a class="indexterm" name="id390589"></a><em class="parameter"><code>comment = Printer with Restricted Access</code></em></td></tr><tr><td><a class="indexterm" name="id390601"></a><em class="parameter"><code>path = /var/spool/samba_my_printer</code></em></td></tr><tr><td><a class="indexterm" name="id390613"></a><em class="parameter"><code>printer admin = kurt</code></em></td></tr><tr><td><a class="indexterm" name="id390624"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390636"></a><em class="parameter"><code>printable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id390647"></a><em class="parameter"><code>writable = no</code></em></td></tr><tr><td><a class="indexterm" name="id390659"></a><em class="parameter"><code>hosts allow = 0.0.0.0</code></em></td></tr><tr><td><a class="indexterm" name="id390670"></a><em class="parameter"><code>hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60</code></em></td></tr><tr><td><a class="indexterm" name="id390682"></a><em class="parameter"><code>guest ok = no</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id390695"></a> -<a class="indexterm" name="id390701"></a> -<a class="indexterm" name="id390706"></a> -This is an example configuration. You may not find all the settings that are in the configuration file that -was provided by the OS vendor. Samba configuration parameters, if not explicitly set, default to a sensible -value. To see all settings, as <code class="constant">root</code> use the <code class="literal">testparm</code> utility. -<code class="literal">testparm</code> gives warnings for misconfigured settings. -</p><div class="sect2" title="Detailed Explanation Settings"><div class="titlepage"><div><div><h3 class="title"><a name="id390731"></a>Detailed Explanation Settings</h3></div></div></div><p> -The following is a discussion of the settings from <a class="link" href="classicalprinting.html#extbsdpr" title="Example 21.2. Extended BSD Printing Configuration">Extended BSD Printing -Configuration</a>. -</p><div class="sect3" title="The [global] Section"><div class="titlepage"><div><div><h4 class="title"><a name="id390748"></a>The [global] Section</h4></div></div></div><p> -<a class="indexterm" name="id390755"></a> -<a class="indexterm" name="id390762"></a> -<a class="indexterm" name="id390769"></a> -<a class="indexterm" name="id390776"></a> -The <em class="parameter"><code>[global]</code></em> section is one of four special sections (along with <em class="parameter"><code>[homes]</code></em>, <em class="parameter"><code>[printers]</code></em>, and <em class="parameter"><code>[print$]</code></em>). The -<em class="parameter"><code>[global]</code></em> contains all parameters that apply to the server as a whole. It is the place -for parameters that have only a global meaning. It may also contain service-level parameters that define -default settings for all other sections and shares. This way you can simplify the configuration and avoid -setting the same value repeatedly. (Within each individual section or share, you may, however, override these -globally set share settings and specify other values). -</p><div class="variablelist"><dl><dt><span class="term"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = bsd </a></span></dt><dd><p> -<a class="indexterm" name="id390841"></a> -<a class="indexterm" name="id390847"></a> -<a class="indexterm" name="id390854"></a> -<a class="indexterm" name="id390861"></a> -<a class="indexterm" name="id390868"></a> -<a class="indexterm" name="id390874"></a> -<a class="indexterm" name="id390881"></a> -<a class="indexterm" name="id390888"></a> -<a class="indexterm" name="id390895"></a> -<a class="indexterm" name="id390901"></a> -<a class="indexterm" name="id390908"></a> -<a class="indexterm" name="id390915"></a> - Causes Samba to use default print commands applicable for the BSD (also known as RFC 1179 style or LPR/LPD) - printing system. In general, the <em class="parameter"><code>printing</code></em> parameter informs Samba about the print - subsystem it should expect. Samba supports CUPS, LPD, LPRNG, SYSV, HPUX, AIX, QNX, and PLP. Each of these - systems defaults to a different <a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a> (and other queue control commands). - </p><div class="caution" title="Caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p> -<a class="indexterm" name="id390947"></a> -<a class="indexterm" name="id390954"></a> - The <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing</a> parameter is normally a service-level parameter. Since it is included - here in the <em class="parameter"><code>[global]</code></em> section, it will take effect for all printer shares that are not - defined differently. Samba-3 no longer supports the SOFTQ printing system. - </p></div></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#LOADPRINTERS" target="_top">load printers = yes </a></span></dt><dd><p> -<a class="indexterm" name="id390997"></a> -<a class="indexterm" name="id391004"></a> -<a class="indexterm" name="id391010"></a> -<a class="indexterm" name="id391017"></a> - Tells Samba to create automatically all available printer shares. Available printer shares are discovered by - scanning the printcap file. All created printer shares are also loaded for browsing. If you use this - parameter, you do not need to specify separate shares for each printer. Each automatically created printer - share will clone the configuration options found in the <em class="parameter"><code>[printers]</code></em> section. (The - <em class="parameter"><code>load printers = no</code></em> setting will allow you to specify each UNIX printer you want to - share separately, leaving out some you do not want to be publicly visible and available). - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#SHOWADDPRINTERWIZARD" target="_top">show add printer wizard = yes </a></span></dt><dd><p> -<a class="indexterm" name="id391060"></a> -<a class="indexterm" name="id391066"></a> -<a class="indexterm" name="id391073"></a> -<a class="indexterm" name="id391080"></a> -<a class="indexterm" name="id391087"></a> - Setting is normally enabled by default (even if the parameter is not specified in <code class="filename">smb.conf</code>). It causes the - <span class="guiicon">Add Printer Wizard</span> icon to appear in the <span class="guiicon">Printers</span> folder of the Samba - host's share listing (as shown in <span class="guiicon">Network Neighborhood</span> or by the <code class="literal">net - view</code> command). To disable it, you need to explicitly set it to <code class="constant">no</code> (commenting - it out will not suffice). The <em class="parameter"><code>Add Printer Wizard</code></em> lets you upload a printer driver to - the <em class="parameter"><code>[print$]</code></em> share and associate it with a printer (if the respective queue exists - before the action), or exchange a printer's driver for any other previously uploaded driver. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#MAXPRINTJOBS" target="_top">max print jobs = 100 </a></span></dt><dd><p> -<a class="indexterm" name="id391162"></a> - Sets the upper limit to 100 print jobs being active on the Samba server at any one time. Should a client - submit a job that exceeds this number, a "no more space available on server" type of error message will be - returned by Samba to the client. A setting of zero (the default) means there is <span class="emphasis"><em>no</em></span> limit - at all. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PRINTCAPNAME" target="_top">printcap name = /etc/printcap </a></span></dt><dd><p> -<a class="indexterm" name="id391194"></a> -<a class="indexterm" name="id391201"></a> -<a class="indexterm" name="id391208"></a> - Tells Samba where to look for a list of available printer names. Where CUPS is used, make sure that a printcap - file is written. This is controlled by the <code class="constant">Printcap</code> directive in the - <code class="filename">cupsd.conf</code> file. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin = @ntadmin </a></span></dt><dd><p> -<a class="indexterm" name="id391243"></a> -<a class="indexterm" name="id391249"></a> -<a class="indexterm" name="id391256"></a> -<a class="indexterm" name="id391263"></a> - Members of the ntadmin group should be able to add drivers and set printer properties - (<code class="constant">ntadmin</code> is only an example name; it needs to be a valid UNIX group name); root is - implicitly always a <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a>. The <code class="literal">@</code> sign precedes group names - in the <code class="filename">/etc/group</code>. A printer admin can do anything to printers via the remote - administration interfaces offered by MS-RPC (see <a class="link" href="classicalprinting.html#cups-msrpc" title="Printing Developments Since Samba-2.2">Printing Developments Since - Samba-2.2</a>). In larger installations, the <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> parameter is normally a - per-share parameter. This permits different groups to administer each printer share. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#LPQCACHETIME" target="_top">lpq cache time = 20 </a></span></dt><dd><p> -<a class="indexterm" name="id391336"></a> -<a class="indexterm" name="id391342"></a> - Controls the cache time for the results of the lpq command. It prevents the lpq command being called too often - and reduces the load on a heavily used print server. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#USECLIENTDRIVER" target="_top">use client driver = no </a></span></dt><dd><p> -<a class="indexterm" name="id391369"></a> - If set to <code class="constant">yes</code>, only takes effect for Windows NT/200x/XP clients (and not for Win - 95/98/ME). Its default value is <code class="constant">No</code> (or <code class="constant">False</code>). It must - <span class="emphasis"><em>not</em></span> be enabled on print shares (with a <code class="constant">yes</code> or - <code class="constant">true</code> setting) that have valid drivers installed on the Samba server. For more detailed - explanations, see the <code class="filename">smb.conf</code> man page. - </p></dd></dl></div></div><div class="sect3" title="The [printers] Section"><div class="titlepage"><div><div><h4 class="title"><a name="ptrsect"></a>The [printers] Section</h4></div></div></div><p> -<a class="indexterm" name="id391419"></a> -<a class="indexterm" name="id391426"></a> -The printers section is the second special section. If a section with this name appears in the <code class="filename">smb.conf</code>, -users are able to connect to any printer specified in the Samba host's printcap file, because Samba on startup -then creates a printer share for every printer name it finds in the printcap file. You could regard this -section as a convenient shortcut to share all printers with minimal configuration. It is also a container for -settings that should apply as default to all printers. (For more details, see the <code class="filename">smb.conf</code> man page.) -Settings inside this container must be share-level parameters. -</p><div class="variablelist"><dl><dt><span class="term"><a class="link" href="smb.conf.5.html#COMMENT" target="_top">comment = All printers </a></span></dt><dd><p> - The <a class="link" href="smb.conf.5.html#COMMENT" target="_top">comment</a> is shown next to the share if - a client queries the server, either via <span class="guiicon">Network Neighborhood</span> or with - the <code class="literal">net view</code> command, to list available shares. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PRINTABLE" target="_top">printable = yes </a></span></dt><dd><p> - The <em class="parameter"><code>[printers]</code></em> service <span class="emphasis"><em>must</em></span> - be declared as printable. If you specify otherwise, smbd will refuse to load at - startup. This parameter allows connected clients to open, write to, and submit spool files - into the directory specified with the <a class="link" href="smb.conf.5.html#PATH" target="_top">path</a> - parameter for this service. It is used by Samba to differentiate printer shares from - file shares. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PATH" target="_top">path = /var/spool/samba </a></span></dt><dd><p> - Must point to a directory used by Samba to spool incoming print files. <span class="emphasis"><em>It - must not be the same as the spool directory specified in the configuration of your UNIX - print subsystem!</em></span> The path typically points to a directory that is world - writable, with the <span class="emphasis"><em>sticky</em></span> bit set to it. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#BROWSEABLE" target="_top">browseable = no </a></span></dt><dd><p> - Is always set to <code class="constant">no</code> if - <a class="link" href="smb.conf.5.html#PRINTABLE" target="_top">printable = yes</a>. It makes - the <em class="parameter"><code>[printer]</code></em> share itself invisible in the list of - available shares in a <code class="literal">net view</code> command or in the Explorer browse - list. (You will of course see the individual printers.) - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#GUESTOK" target="_top">guest ok = yes </a></span></dt><dd><p> - If this parameter is set to <code class="constant">yes</code>, no password is required to - connect to the printer's service. Access will be granted with the privileges of the - <a class="link" href="smb.conf.5.html#GUESTACCOUNT" target="_top">guest account</a>. On many systems the guest - account will map to a user named "nobody." This user will usually be found - in the UNIX passwd file with an empty password, but with no valid UNIX login. On some - systems the guest account might not have the privilege to be able to print. Test this - by logging in as your guest user using <code class="literal">su - guest</code> and run a system - print command like: - </p><p> - <strong class="userinput"><code>lpr -P printername /etc/motd</code></strong> - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PUBLIC" target="_top">public = yes </a></span></dt><dd><p> - Is a synonym for <a class="link" href="smb.conf.5.html#GUESTOK" target="_top">guest ok = yes</a>. - Since we have <a class="link" href="smb.conf.5.html#GUESTOK" target="_top">guest ok = yes</a>, it - really does not need to be here. (This leads to the interesting question, <span class="quote">“<span class="quote">What if I - by accident have two contradictory settings for the same share?</span>”</span> The answer is that the - last one encountered by Samba wins. <code class="literal">testparm</code> does not complain about different settings - of the same parameter for the same share. You can test this by setting up multiple - lines for the <em class="parameter"><code>guest account</code></em> parameter with different usernames, - and then run testparm to see which one is actually used by Samba.) - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#READONLY" target="_top">read only = yes </a></span></dt><dd><p> - Normally (for other types of shares) prevents users from creating or modifying files - in the service's directory. However, in a <span class="emphasis"><em>printable</em></span> service, it is - <span class="emphasis"><em>always</em></span> allowed to write to the directory (if user privileges allow the - connection), but only via print spooling operations. Normal write operations are not permitted. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#WRITABLE" target="_top">writable = no </a></span></dt><dd><p> - Is a synonym for <a class="link" href="smb.conf.5.html#READONLY" target="_top">read only = yes</a>. - </p></dd></dl></div></div><div class="sect3" title="Any [my_printer_name] Section"><div class="titlepage"><div><div><h4 class="title"><a name="id391779"></a>Any [my_printer_name] Section</h4></div></div></div><p> -<a class="indexterm" name="id391787"></a> -<a class="indexterm" name="id391794"></a> -If a <em class="parameter"><code>[my_printer_name]</code></em> section appears in the <code class="filename">smb.conf</code> file, which includes the -parameter <a class="link" href="smb.conf.5.html#PRINTABLE" target="_top">printable = yes</a> Samba will configure it as a printer share. -Windows 9x/Me clients may have problems with connecting or loading printer drivers if the share name has more -than eight characters. Do not name a printer share with a name that may conflict with an existing user or file -share name. On client connection requests, Samba always tries to find file shares with that name first. If it -finds one, it will connect to this and will not connect to a printer with the same name! -</p><div class="variablelist"><dl><dt><span class="term"><a class="link" href="smb.conf.5.html#COMMENT" target="_top">comment = Printer with Restricted Access </a></span></dt><dd><p> - The comment says it all. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PATH" target="_top">path = /var/spool/samba_my_printer </a></span></dt><dd><p> - Sets the spooling area for this printer to a directory other than the default. It is not - necessary to set it differently, but the option is available. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin = kurt </a></span></dt><dd><p> - The printer admin definition is different for this explicitly defined printer share from the general - <em class="parameter"><code>[printers]</code></em> share. It is not a requirement; we did it to show that it is possible. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#BROWSEABLE" target="_top">browseable = yes </a></span></dt><dd><p> - This makes the printer browseable so the clients may conveniently find it when browsing the - <span class="guiicon">Network Neighborhood</span>. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PRINTABLE" target="_top">printable = yes </a></span></dt><dd><p> - See <a class="link" href="classicalprinting.html#ptrsect" title="The [printers] Section">Section 20.4.1.2</a>. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#WRITABLE" target="_top">writable = no </a></span></dt><dd><p> - See <a class="link" href="classicalprinting.html#ptrsect" title="The [printers] Section">Section 20.4.1.2</a>. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#HOSTSALLOW" target="_top">hosts allow = 10.160.50.,10.160.51. </a></span></dt><dd><p> - Here we exercise a certain degree of access control by using the <a class="link" href="smb.conf.5.html#HOSTSALLOW" target="_top">hosts allow</a> - and <a class="link" href="smb.conf.5.html#HOSTSDENY" target="_top">hosts deny</a> parameters. This is not by any means a safe bet. It is not a - way to secure your printers. This line accepts all clients from a certain subnet in a first evaluation of - access control. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#HOSTSDENY" target="_top">hosts deny = turbo_xp,10.160.50.23,10.160.51.60 </a></span></dt><dd><p> - All listed hosts are not allowed here (even if they belong to the allowed subnets). As - you can see, you could name IP addresses as well as NetBIOS hostnames here. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#GUESTOK" target="_top">guest ok = no </a></span></dt><dd><p> - This printer is not open for the guest account. - </p></dd></dl></div></div><div class="sect3" title="Print Commands"><div class="titlepage"><div><div><h4 class="title"><a name="id392052"></a>Print Commands</h4></div></div></div><p> -<a class="indexterm" name="id392059"></a> -<a class="indexterm" name="id392066"></a> -<a class="indexterm" name="id392073"></a> -<a class="indexterm" name="id392080"></a> -In each section defining a printer (or in the <em class="parameter"><code>[printers]</code></em> section), -a <em class="parameter"><code>print command</code></em> parameter may be defined. It sets a command to process the files -that have been placed into the Samba print spool directory for that printer. (That spool directory was, -if you remember, set up with the <a class="link" href="smb.conf.5.html#PATH" target="_top">path</a> parameter). Typically, -this command will submit the spool file to the Samba host's print subsystem, using the suitable system -print command. But there is no requirement that this needs to be the case. For debugging or -some other reason, you may want to do something completely different than print the file. An example is a -command that just copies the print file to a temporary location for further investigation when you need -to debug printing. If you craft your own print commands (or even develop print command shell scripts), -make sure you pay attention to the need to remove the files from the Samba spool directory. Otherwise, -your hard disk may soon suffer from shortage of free space. -</p></div><div class="sect3" title="Default UNIX System Printing Commands"><div class="titlepage"><div><div><h4 class="title"><a name="id392119"></a>Default UNIX System Printing Commands</h4></div></div></div><p> -<a class="indexterm" name="id392127"></a> -You learned earlier that Samba, in most cases, uses its built-in settings for many parameters if it cannot -find an explicitly stated one in its configuration file. The same is true for the <a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a>. The default print command varies depending on the <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing</a> parameter -setting. In the commands listed in <a class="link" href="classicalprinting.html#printOptions" title="Table 21.1. Default Printing Settings">Default Printing Settings</a> , you will -notice some parameters of the form <span class="emphasis"><em>%X</em></span> where <span class="emphasis"><em>X</em></span> is <span class="emphasis"><em>p, s, -J</em></span>, and so on. These letters stand for printer name, spool file, and job ID, respectively. They are -explained in more detail in <a class="link" href="classicalprinting.html#printOptions" title="Table 21.1. Default Printing Settings">Default Printing Settings</a> presents an overview -of key printing options but excludes the special case of CUPS, is discussed in <a class="link" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a>. -</p><div class="table"><a name="printOptions"></a><p class="title"><b>Table 21.1. Default Printing Settings</b></p><div class="table-contents"><table summary="Default Printing Settings" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Setting</th><th align="left">Default Printing Commands</th></tr></thead><tbody><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = bsd|aix|lprng|plp</a></td><td align="left">print command is <code class="literal">lpr -r -P%p %s</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = sysv|hpux</a></td><td align="left">print command is <code class="literal">lp -c -P%p %s; rm %s</code></td></tr><tr><td align="left"> <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = qnx</a></td><td align="left">print command is <code class="literal">lp -r -P%p -s %s</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = bsd|aix|lprng|plp</a></td><td align="left">lpq command is <code class="literal">lpq -P%p</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = sysv|hpux</a></td><td align="left">lpq command is <code class="literal">lpstat -o%p</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = qnx</a></td><td align="left">lpq command is <code class="literal">lpq -P%p</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = bsd|aix|lprng|plp</a></td><td align="left">lprm command is <code class="literal">lprm -P%p %j</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = sysv|hpux</a></td><td align="left">lprm command is <code class="literal">cancel %p-%j</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = qnx</a></td><td align="left">lprm command is <code class="literal">cancel %p-%j</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = bsd|aix|lprng|plp</a></td><td align="left">lppause command is <code class="literal">lp -i %p-%j -H hold</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = sysv|hpux</a></td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = qnx</a></td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = bsd|aix|lprng|plp</a></td><td align="left">lpresume command is <code class="literal">lp -i %p-%j -H resume</code></td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = sysv|hpux</a></td><td align="left">lpresume command (...is empty)</td></tr><tr><td align="left"><a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = qnx</a></td><td align="left">lpresume command (...is empty)</td></tr></tbody></table></div></div><br class="table-break"><p> -<a class="indexterm" name="id392567"></a> -<a class="indexterm" name="id392574"></a> -<a class="indexterm" name="id392581"></a> -<a class="indexterm" name="id392587"></a> -For <em class="parameter"><code>printing = CUPS</code></em>, if Samba is compiled against libcups, it uses the CUPS API to -submit jobs. (It is a good idea also to set <a class="link" href="smb.conf.5.html#PRINTCAP" target="_top">printcap = cups</a> in case your -<code class="filename">cupsd.conf</code> is set to write its autogenerated printcap file to an unusual place). -Otherwise, Samba maps to the System V printing commands with the -oraw option for printing; that is, it uses -<code class="literal">lp -c -d%p -oraw; rm %s</code>. With <em class="parameter"><code>printing = cups</code></em>, and if Samba is -compiled against libcups, any manually set print command will be ignored! -</p></div><div class="sect3" title="Custom Print Commands"><div class="titlepage"><div><div><h4 class="title"><a name="id392635"></a>Custom Print Commands</h4></div></div></div><p> -<a class="indexterm" name="id392643"></a> -<a class="indexterm" name="id392650"></a> -After a print job has finished spooling to a service, the <a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a> will be used -by Samba via a system() call to process the spool file. Usually the command specified will submit the spool -file to the host's printing subsystem. But there is no requirement at all that this must be the case. The -print subsystem may not remove the spool file on its own, so whatever command you specify, you should ensure -that the spool file is deleted after it has been processed. -</p><p> -<a class="indexterm" name="id392675"></a> -<a class="indexterm" name="id392681"></a> -<a class="indexterm" name="id392688"></a> -<a class="indexterm" name="id392695"></a> -There is no difficulty with using your own customized print commands with the traditional printing systems. -However, if you do not wish to roll your own, you should be well informed about the default built-in commands -that Samba uses for each printing subsystem (see <a class="link" href="classicalprinting.html#printOptions" title="Table 21.1. Default Printing Settings">Default Printing -Settings</a>). In all the commands listed in the last paragraphs, you see parameters of the form -<span class="emphasis"><em>%X</em></span>. These are <span class="emphasis"><em>macros</em></span>, or shortcuts, used as placeholders for the -names of real objects. At the time of running a command with such a placeholder, Samba will insert the -appropriate value automatically. Print commands can handle all Samba macro substitutions. In regard to -printing, the following ones do have special relevance: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><em class="parameter"><code>%s, %f</code></em> the path to the spool file name.</p></li><li class="listitem"><p><em class="parameter"><code>%p</code></em> the appropriate printer name.</p></li><li class="listitem"><p><em class="parameter"><code>%J</code></em> the job name as transmitted by the client.</p></li><li class="listitem"><p><em class="parameter"><code>%c</code></em> the number of printed pages of the spooled job (if known).</p></li><li class="listitem"><p><em class="parameter"><code>%z</code></em> the size of the spooled print job (in bytes).</p></li></ul></div><p> -<a class="indexterm" name="id392787"></a> -The print command must contain at least one occurrence of <em class="parameter"><code>%s</code></em> or -<em class="parameter"><code>%f</code></em>. The <em class="parameter"><code>%p</code></em> is optional. If no printer name is supplied, -the <em class="parameter"><code>%p</code></em> will be silently removed from the print command. In this case, the job is -sent to the default printer. -</p><p> -<a class="indexterm" name="id392820"></a> -<a class="indexterm" name="id392827"></a> -If specified in the <em class="parameter"><code>[global]</code></em> section, the print command given will be -used for any printable service that does not have its own print command specified. If there is neither a -specified print command for a printable service nor a global print command, spool files will be created -but not processed! Most importantly, print files will not be removed, so they will consume disk space. -</p><p> -<a class="indexterm" name="id392846"></a> -<a class="indexterm" name="id392853"></a> -Printing may fail on some UNIX systems when using the <span class="emphasis"><em>nobody</em></span> account. If this happens, create an -alternative guest account and give it the privilege to print. Set up this guest account in the -<em class="parameter"><code>[global]</code></em> section with the <em class="parameter"><code>guest account</code></em> parameter. -</p><p> -<a class="indexterm" name="id392880"></a> -<a class="indexterm" name="id392887"></a> -<a class="indexterm" name="id392894"></a> -You can form quite complex print commands. You need to realize that print commands are just -passed to a UNIX shell. The shell is able to expand the included environment variables as -usual. (The syntax to include a UNIX environment variable <em class="parameter"><code>$variable</code></em> -in the Samba print command is <em class="parameter"><code>%$variable</code></em>.) To give you a working -<a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a> example, the following will log a print job -to <code class="filename">/tmp/print.log</code>, print the file, then remove it. The semicolon (<span class="quote">“<span class="quote">;</span>”</span>) -is the usual separator for commands in shell scripts: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id392944"></a><em class="parameter"><code>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s</code></em></td></tr></table><p> -You may have to vary your own command considerably from this example depending on how you normally print -files on your system. The default for the <a class="link" href="smb.conf.5.html#PRINTCOMMAND" target="_top">print command</a> -parameter varies depending on the setting of the <a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing</a> -parameter. Another example is: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id392990"></a><em class="parameter"><code>print command = /usr/local/samba/bin/myprintscript %p %s</code></em></td></tr></table></div></div></div><div class="sect1" title="Printing Developments Since Samba-2.2"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="cups-msrpc"></a>Printing Developments Since Samba-2.2</h2></div></div></div><p> -<a class="indexterm" name="id393017"></a> -<a class="indexterm" name="id393023"></a> -<a class="indexterm" name="id393030"></a> -Prior to Samba-2.2.x, print server support for Windows clients was limited to <span class="emphasis"><em>LanMan</em></span> -printing calls. This is the same protocol level as Windows 9x/Me PCs offer when they share printers. -Beginning with the 2.2.0 release, Samba started to support the native Windows NT printing mechanisms. These -are implemented via <span class="emphasis"><em>MS-RPC</em></span> (Remote Procedure Calls). -MS-RPCs use the <span class="emphasis"><em>SPOOLSS</em></span> named pipe for all printing. -</p><p> -The additional functionality provided by the new SPOOLSS support includes: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id393061"></a> - Support for downloading printer driver files to Windows 95/98/NT/2000 clients upon - demand (<span class="emphasis"><em>Point'n'Print</em></span>). - </p></li><li class="listitem"><p> -<a class="indexterm" name="id393076"></a> - Uploading of printer drivers via the Windows NT <span class="emphasis"><em>Add Printer Wizard</em></span> (APW) - or the <a class="ulink" href="http://imprints.sourceforge.net/" target="_top">Imprints</a> tool set. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id393098"></a> -<a class="indexterm" name="id393105"></a> -<a class="indexterm" name="id393112"></a> -<a class="indexterm" name="id393119"></a> -<a class="indexterm" name="id393126"></a> - Support for the native MS-RPC printing calls such as StartDocPrinter, EnumJobs(), and so on. (See the - <a class="ulink" href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a> for more information on the - Win32 printing API). - </p></li><li class="listitem"><p> -<a class="indexterm" name="id393144"></a> -<a class="indexterm" name="id393151"></a> - Support for NT Access Control Lists (ACL) on printer objects. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id393162"></a> - Improved support for printer queue manipulation through the use of internal databases for spooled - job information (implemented by various <code class="filename">*.tdb</code> files). - </p></li></ul></div><p> -<a class="indexterm" name="id393181"></a> -<a class="indexterm" name="id393187"></a> -A benefit of updating is that Samba-3 is able to publish its printers to Active Directory (or LDAP). -</p><p> -<a class="indexterm" name="id393198"></a> -A fundamental difference exists between MS Windows NT print servers and Samba operation. Windows NT -permits the installation of local printers that are not shared. This is an artifact of the fact that -any Windows NT machine (server or client) may be used by a user as a workstation. Samba will publish all -printers that are made available, either by default or by specific declaration via printer-specific shares. -</p><p> -<a class="indexterm" name="id393212"></a> -<a class="indexterm" name="id393218"></a> -<a class="indexterm" name="id393225"></a> -<a class="indexterm" name="id393232"></a> -<a class="indexterm" name="id393239"></a> -Windows NT/200x/XP Professional clients do not have to use the standard SMB printer share; they can -print directly to any printer on another Windows NT host using MS-RPC. This, of course, assumes that -the client has the necessary privileges on the remote host that serves the printer resource. The -default permissions assigned by Windows NT to a printer gives the print permissions to the well-known -<span class="emphasis"><em>Everyone</em></span> group. (The older clients of type Windows 9x/Me can only print to shared -printers.) -</p><div class="sect2" title="Point'n'Print Client Drivers on Samba Servers"><div class="titlepage"><div><div><h3 class="title"><a name="id393254"></a>Point'n'Print Client Drivers on Samba Servers</h3></div></div></div><p> -<a class="indexterm" name="id393262"></a> -There is much confusion about what all this means. The question is often asked, <span class="quote">“<span class="quote">Is it or is -it not necessary for printer drivers to be installed on a Samba host in order to support printing from -Windows clients?</span>”</span> The answer to this is no, it is not necessary. -</p><p> -<a class="indexterm" name="id393278"></a> -<a class="indexterm" name="id393285"></a> -Windows NT/2000 clients can, of course, also run their APW to install drivers <span class="emphasis"><em>locally</em></span> -(which then connect to a Samba-served print queue). This is the same method used by Windows 9x/Me -clients. (However, a bug existed in Samba 2.2.0 that made Windows NT/2000 clients -require that the Samba server possess a valid driver for the printer. This was fixed in Samba 2.2.1). -</p><p> -<a class="indexterm" name="id393302"></a> -<a class="indexterm" name="id393309"></a> -But it is a new capability to install the printer drivers into the <em class="parameter"><code>[print$]</code></em> -share of the Samba server, and a big convenience, too. Then <span class="emphasis"><em>all</em></span> clients -(including 95/98/ME) get the driver installed when they first connect to this printer share. The -<span class="emphasis"><em>uploading</em></span> or <span class="emphasis"><em>depositing</em></span> of the driver into this -<em class="parameter"><code>[print$]</code></em> share and the following binding of this driver to an existing -Samba printer share can be achieved by different means: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Running the <span class="emphasis"><em>APW</em></span> on an NT/200x/XP Professional client (this does not work from 95/98/ME clients). - </p></li><li class="listitem"><p> - Using the <span class="emphasis"><em>Imprints</em></span> toolset. - </p></li><li class="listitem"><p> - Using the <span class="emphasis"><em>smbclient</em></span> and <span class="emphasis"><em>rpcclient</em></span> command-line tools. - </p></li><li class="listitem"><p> - Using <span class="emphasis"><em>cupsaddsmb</em></span> (only works for the CUPS printing system, not for LPR/LPD, LPRng, and so on). - </p></li></ul></div><p> -<a class="indexterm" name="id393385"></a> -<a class="indexterm" name="id393392"></a> -Samba does not use these uploaded drivers in any way to process spooled files. These drivers are utilized -entirely by the clients who download and install them via the <span class="quote">“<span class="quote">Point'n'Print</span>”</span> mechanism -supported by Samba. The clients use these drivers to generate print files in the format the printer -(or the UNIX print system) requires. Print files received by Samba are handed over to the UNIX printing -system, which is responsible for all further processing, as needed. -</p></div><div class="sect2" title="The Obsoleted [printer$] Section"><div class="titlepage"><div><div><h3 class="title"><a name="id393408"></a>The Obsoleted [printer$] Section</h3></div></div></div><p> -<a class="indexterm" name="id393416"></a> -<a class="indexterm" name="id393423"></a> - Versions of Samba prior to 2.2 made it possible to use a share named <em class="parameter"><code>[printer$]</code></em>. This - name was taken from the same named service created by Windows 9x/Me clients when a printer was shared by them. - Windows 9x/Me printer servers always have a <em class="parameter"><code>[printer$]</code></em> service that provides - read-only access (with no password required) to support printer driver downloads. However, Samba's initial - implementation allowed for a parameter named <em class="parameter"><code>printer driver location</code></em> to be used on a - per-share basis. This specified the location of the driver files associated with that printer. Another - parameter named <em class="parameter"><code>printer driver</code></em> provided a means of defining the printer driver name to - be sent to the client. - </p><p> -<a class="indexterm" name="id393462"></a> -<a class="indexterm" name="id393469"></a> -<a class="indexterm" name="id393476"></a> - These parameters, including the <em class="parameter"><code>printer driver file</code></em> parameter, - are now removed and cannot be used in installations of Samba-3. The share name - <em class="parameter"><code>[print$]</code></em> is now used for the location of downloadable printer - drivers. It is taken from the <em class="parameter"><code>[print$]</code></em> service created - by Windows NT PCs when a printer is shared by them. Windows NT print servers always have a - <em class="parameter"><code>[print$]</code></em> service that provides read-write access (in the context - of its ACLs) to support printer driver downloads and uploads. This does not mean Windows - 9x/Me clients are now thrown aside. They can use Samba's <em class="parameter"><code>[print$]</code></em> - share support just fine. - </p></div><div class="sect2" title="Creating the [print$] Share"><div class="titlepage"><div><div><h3 class="title"><a name="id393519"></a>Creating the [print$] Share</h3></div></div></div><p> -<a class="indexterm" name="id393526"></a> -In order to support the uploading and downloading of printer driver files, you must first configure a -file share named <em class="parameter"><code>[print$]</code></em>. The public name of this share is hard coded -in the MS Windows clients. It cannot be renamed, since Windows clients are programmed to search for a -service of exactly this name if they want to retrieve printer driver files. -</p><p> -You should modify the server's file to add the global parameters and create the -<em class="parameter"><code>[print$]</code></em> file share (of course, some of the parameter values, such -as <a class="link" href="smb.conf.5.html#PATH" target="_top">path</a>, are arbitrary and should be replaced with appropriate values for your -site). See <a class="link" href="classicalprinting.html#prtdollar" title="Example 21.3. [print$] Example">[print\$] Example</a>. -</p><div class="example"><a name="prtdollar"></a><p class="title"><b>Example 21.3. [print$] Example</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td># members of the ntadmin group should be able to add drivers and set</td></tr><tr><td># printer properties. root is implicitly always a 'printer admin'.</td></tr><tr><td><a class="indexterm" name="id393603"></a><em class="parameter"><code>printer admin = @ntadmin</code></em></td></tr><tr><td># ...</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td># ...</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id393639"></a><em class="parameter"><code>comment = Printer Driver Download Area</code></em></td></tr><tr><td><a class="indexterm" name="id393651"></a><em class="parameter"><code>path = /etc/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id393663"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id393674"></a><em class="parameter"><code>guest ok = yes</code></em></td></tr><tr><td><a class="indexterm" name="id393686"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id393697"></a><em class="parameter"><code>write list = @ntadmin, root</code></em></td></tr></table></div></div><br class="example-break"><p> -Of course, you also need to ensure that the directory named by the -<a class="link" href="smb.conf.5.html#PATH" target="_top">path</a> parameter exists on the UNIX file system. -</p></div><div class="sect2" title="[print$] Stanza Parameters"><div class="titlepage"><div><div><h3 class="title"><a name="id393726"></a>[print$] Stanza Parameters</h3></div></div></div><p> -<a class="indexterm" name="id393734"></a> -<a class="indexterm" name="id393741"></a> -<a class="indexterm" name="id393748"></a> -<a class="indexterm" name="id393754"></a> -<a class="indexterm" name="id393761"></a> -The <em class="parameter"><code>[print$]</code></em> is a special section in <code class="filename">smb.conf</code>. It contains settings relevant to -potential printer driver download and is used by Windows clients for local print driver installation. -The following parameters are frequently needed in this share section: -</p><div class="variablelist"><dl><dt><span class="term"><a class="link" href="smb.conf.5.html#COMMENT" target="_top">comment = Printer Driver Download Area </a></span></dt><dd><p> - The comment appears next to the share name if it is listed in a share list (usually Windows - clients will not see it, but it will also appear up in a <code class="literal">smbclient -L sambaserver - </code> output). - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#PATH" target="_top">path = /etc/samba/printers </a></span></dt><dd><p> - The path to the location of the Windows driver file deposit from the UNIX point of view. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#BROWSEABLE" target="_top">browseable = no </a></span></dt><dd><p> - Makes the <em class="parameter"><code>[print$]</code></em> share invisible to clients from the - <span class="guimenu">Network Neighborhood</span>. By excuting from a <code class="literal">cmd</code> shell: -</p><pre class="screen"> -<code class="prompt">C:\> </code> <code class="literal">net use g:\\sambaserver\print$</code> -</pre><p> - you can still mount it from any client. This can also be done from the - <span class="guimenu">Connect network drive</span> menu from Windows Explorer. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#GUESTOK" target="_top">guest ok = yes </a></span></dt><dd><p> - Gives read-only access to this share for all guest users. Access may be granted to - download and install printer drivers on clients. The requirement for <em class="parameter"><code>guest ok - = yes</code></em> depends on how your site is configured. If users will be guaranteed - to have an account on the Samba host, then this is a non-issue. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - If all your Windows NT users are guaranteed to be authenticated by the Samba server - (for example, if Samba authenticates via an NT domain server and the user has already been - validated by the domain controller in order to log on to the Windows NT session), then guest - access is not necessary. Of course, in a workgroup environment where you just want - to print without worrying about silly accounts and security, then configure the share for - guest access. You should consider adding <a class="link" href="smb.conf.5.html#MAPTOGUEST" target="_top">map to guest = Bad User</a> - in the <em class="parameter"><code>[global]</code></em> section as well. Make sure you understand what this - parameter does before using it. - </p></div></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#READONLY" target="_top">read only = yes </a></span></dt><dd><p> - Because we do not want everybody to upload driver files (or even change driver settings), - we tagged this share as not writable. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#WRITELIST" target="_top">write list = @ntadmin, root </a></span></dt><dd><p> - The <em class="parameter"><code>[print$]</code></em> was made read-only by the previous - setting so we should create a <em class="parameter"><code>write list</code></em> entry also. UNIX - groups are denoted with a leading <span class="quote">“<span class="quote">@</span>”</span> character. Users listed here are allowed - write-access (as an exception to the general public's read-only access), which they need to - update files on the share. Normally, you will want to name only administrative-level user - account in this setting. Check the file system permissions to make sure these accounts - can copy files to the share. If this is a non-root account, then the account should also - be mentioned in the global <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> - parameter. See the <code class="filename">smb.conf</code> man page for more information on configuring file shares. - </p></dd></dl></div></div><div class="sect2" title="The [print$] Share Directory"><div class="titlepage"><div><div><h3 class="title"><a name="id394019"></a>The [print$] Share Directory</h3></div></div></div><p> -In order for a Windows NT print server to support the downloading of driver files by multiple client -architectures, you must create several subdirectories within the <em class="parameter"><code>[print$]</code></em> -service (i.e., the UNIX directory named by the <a class="link" href="smb.conf.5.html#PATH" target="_top">path</a> -parameter). These correspond to each of the supported client architectures. Samba follows this model as -well. Just like the name of the <em class="parameter"><code>[print$]</code></em> share itself, the subdirectories -must be exactly the names listed below (you may leave out the subdirectories of architectures you do -not need to support). -</p><p> -Therefore, create a directory tree below the -<em class="parameter"><code>[print$]</code></em> share for each architecture you wish -to support like this: -</p><pre class="programlisting"> -[print$]--+ - |--W32X86 # serves drivers to Windows NT x86 - |--WIN40 # serves drivers to Windows 95/98 - |--W32ALPHA # serves drivers to Windows NT Alpha_AXP - |--W32MIPS # serves drivers to Windows NT R4000 - |--W32PPC # serves drivers to Windows NT PowerPC -</pre><p> -</p><div class="important" title="Required Permissions" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Required Permissions</h3><p> - In order to add a new driver to your Samba host, one of two conditions must hold true: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - The account used to connect to the Samba host must have a UID of 0 (i.e., a root account). - </p></li><li class="listitem"><p> - The account used to connect to the Samba host must be named in the <span class="emphasis"><em>printer admin</em></span> list. - </p></li></ul></div><p> - Of course, the connected account must still have write access to add files to the subdirectories beneath - <em class="parameter"><code>[print$]</code></em>. Remember that all file shares are set to <span class="quote">“<span class="quote">read-only</span>”</span> by default. - </p></div><p> -Once you have created the required <em class="parameter"><code>[print$]</code></em> service and -associated subdirectories, go to a Windows NT 4.0/200x/XP client workstation. Open <span class="guiicon">Network -Neighborhood</span> or <span class="guiicon">My Network Places</span> and browse for the Samba host. Once you -have located the server, navigate to its <span class="guiicon">Printers and Faxes</span> folder. You should see -an initial listing of printers that matches the printer shares defined on your Samba host. -</p></div></div><div class="sect1" title="Installing Drivers into [print$]"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id394148"></a>Installing Drivers into [print$]</h2></div></div></div><p> -Have you successfully created the <em class="parameter"><code>[print$]</code></em> share in <code class="filename">smb.conf</code>, and have you forced -Samba to reread its <code class="filename">smb.conf</code> file? Good. But you are not yet ready to use the new facility. The client -driver files need to be installed into this share. So far, it is still an empty share. Unfortunately, it is -not enough to just copy the driver files over. They need to be correctly installed so that appropriate records -for each driver will exist in the Samba internal databases so it can provide the correct drivers as they are -requested from MS Windows clients. And that is a bit tricky, to say the least. We now discuss two alternative -ways to install the drivers into <em class="parameter"><code>[print$]</code></em>: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Using the Samba command-line utility <code class="literal">rpcclient</code> with its various subcommands (here, - <code class="literal">adddriver</code> and <code class="literal">setdriver</code>) from any UNIX workstation. - </p></li><li class="listitem"><p> - Running a GUI (<span class="guiicon">Printer Properties</span> and <span class="guiicon">Add Printer Wizard</span>) - from any Windows NT/200x/XP client workstation. - </p></li></ul></div><p> -The latter option is probably the easier one (even if the process may seem a little bit weird at first). -</p><div class="sect2" title="Add Printer Wizard Driver Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id394232"></a>Add Printer Wizard Driver Installation</h3></div></div></div><p> -The printers initially listed in the Samba host's <span class="guiicon">Printers</span> folder accessed from a -client's Explorer will have no real printer driver assigned to them. By default this driver name is set -to a null string. This must be changed now. The local <span class="guiicon">Add Printer Wizard</span> (APW), run from -NT/2000/XP clients, will help us in this task. -</p><p> -Installation of a valid printer driver is not straightforward. You must attempt to view the printer properties -for the printer to which you want the driver assigned. Open Windows Explorer, open <span class="guiicon">Network -Neighborhood</span>, browse to the Samba host, open Samba's <span class="guiicon">Printers</span> folder, right-click -on the printer icon, and select <span class="guimenu">Properties...</span>. You are now trying to view printer and -driver properties for a queue that has this default <code class="constant">NULL</code> driver assigned. This will -result in the following error message: <span class="quote">“<span class="quote"> Device settings cannot be displayed. The driver for the -specified printer is not installed, only spooler properties will be displayed. Do you want to install the -driver now?</span>”</span> -</p><p> -Do <span class="emphasis"><em>not</em></span> click on <span class="guibutton">Yes</span>! Instead, click on <span class="guibutton">No</span> -in the error dialog. Now you will be presented with the printer properties window. From here, the way to -assign a driver to a printer is open. You now have the choice of: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Select a driver from the pop-up list of installed drivers. Initially this list will be empty. - </p></li><li class="listitem"><p> - Click on <span class="guibutton">New Driver</span> to install a new printer driver (which will - start up the APW). - </p></li></ul></div><p> -Once the APW is started, the procedure is exactly the same as the one you are familiar with in Windows (we -assume here that you are familiar with the printer driver installations procedure on Windows NT). Make sure -your connection is, in fact, set up as a user with <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> -privileges (if in doubt, use <code class="literal">smbstatus</code> to check for this). If you wish to install -printer drivers for client operating systems other than <span class="application">Windows NT x86</span>, -you will need to use the <span class="guilabel">Sharing</span> tab of the printer properties dialog. -</p><p> -Assuming you have connected with an administrative (or root) account (as named by the -<a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> parameter), you will also be able to modify -other printer properties such as ACLs and default device settings using this dialog. For the default -device settings, please consider the advice given further in <a class="link" href="classicalprinting.html#inst-rpc" title="Installing Print Drivers Using rpcclient">Installing -Print Drivers Using <code class="literal">rpcclient</code></a>. -</p></div><div class="sect2" title="Installing Print Drivers Using rpcclient"><div class="titlepage"><div><div><h3 class="title"><a name="inst-rpc"></a>Installing Print Drivers Using <code class="literal">rpcclient</code></h3></div></div></div><p> -The second way to install printer drivers into <em class="parameter"><code>[print$]</code></em> and set them -up in a valid way is to do it from the UNIX command line. This involves four distinct steps: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - Gather information about required driver files and collect the files. - </p></li><li class="listitem"><p> - Deposit the driver files into the <em class="parameter"><code>[print$]</code></em> share's correct subdirectories - (possibly by using <code class="literal">smbclient</code>). - </p></li><li class="listitem"><p> - Run the <code class="literal">rpcclient</code> command-line utility once with the <code class="literal">adddriver</code> - subcommand. - </p></li><li class="listitem"><p> - Run <code class="literal">rpcclient</code> a second time with the <code class="literal">setdriver</code> subcommand. - </p></li></ol></div><p> -We provide detailed hints for each of these steps in the paragraphs that follow. -</p><div class="sect3" title="Identifying Driver Files"><div class="titlepage"><div><div><h4 class="title"><a name="id394484"></a>Identifying Driver Files</h4></div></div></div><p> -<a class="indexterm" name="id394492"></a> -<a class="indexterm" name="id394498"></a> -<a class="indexterm" name="id394505"></a> -To find out about the driver files, you have two options. You can check the contents of the driver -CDROM that came with your printer. Study the <code class="filename">*.inf</code> files located on the CD-ROM. This -may not be possible, since the <code class="filename">*.inf</code> file might be missing. Unfortunately, vendors have now started -to use their own installation programs. These installations packages are often in some Windows platform -archive format. Additionally, the files may be re-named during the installation process. This makes it -extremely difficult to identify the driver files required. -</p><p> -<a class="indexterm" name="id394532"></a> -Then you have the second option. Install the driver locally on a Windows client and -investigate which filenames and paths it uses after they are installed. (You need to repeat -this procedure for every client platform you want to support. We show it here for the -<span class="application">W32X86</span> platform only, a name used by Microsoft for all Windows NT/200x/XP -clients.) -</p><p> -<a class="indexterm" name="id394550"></a> -A good method to recognize the driver files is to print the test page from the driver's -<span class="guilabel">Properties</span> dialog (<span class="guilabel">General</span> tab). Then look at the list of -driver files named on the printout. You'll need to recognize what Windows (and Samba) are calling the -<span class="guilabel">Driver File</span>, <span class="guilabel">Data File</span>, <span class="guilabel">Config File</span>, -<span class="guilabel">Help File</span>, and (optionally) <span class="guilabel">Dependent Driver Files</span> -(this may vary slightly for Windows NT). You need to note all filenames for the next steps. -</p><p> -<a class="indexterm" name="id394604"></a> -<a class="indexterm" name="id394611"></a> -<a class="indexterm" name="id394618"></a> -Another method to quickly test the driver filenames and related paths is provided by the -<code class="literal">rpcclient</code> utility. Run it with <code class="literal">enumdrivers</code> or with the -<code class="literal">getdriver</code> subcommand, each at the <code class="filename">3</code> info level. In the following example, -<span class="emphasis"><em>TURBO_XP</em></span> is the name of the Windows PC (in this case it was a Windows XP Professional -laptop). I installed the driver locally to TURBO_XP from a Samba server called <code class="constant">KDE-BITSHOP</code>. -We could run an interactive <code class="literal">rpcclient</code> session; then we would get an -<code class="literal">rpcclient /></code> prompt and would type the subcommands at this prompt. This is left as -a good exercise for you. For now, we use <code class="literal">rpcclient</code> with the <code class="option">-c</code> -parameter to execute a single subcommand line and exit again. This is the method you use if you -want to create scripts to automate the procedure for a large number of printers and drivers. Note the -different quotation marks used to overcome the different spaces between words: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'Danka%xxxx' -c \ - 'getdriver "Heidelberg Digimaster 9110 (PS)" 3' TURBO_XP</code></strong> -cmd = getdriver "Heidelberg Digimaster 9110 (PS)" 3 - -[Windows NT x86] -Printer Driver Info 3: - Version: [2] - Driver Name: [Heidelberg Digimaster 9110 (PS)] - Architecture: [Windows NT x86] - Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.DLL] - Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.ppd] - Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.DLL] - Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.HLP] - - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.DLL] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.INI] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.dat] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.cat] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.def] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hre] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.vnd] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hlp] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01Aux.dll] - Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.NTF] - - Monitorname: [] - Defaultdatatype: [] -</pre><p> -<a class="indexterm" name="id394726"></a> -<a class="indexterm" name="id394732"></a> -<a class="indexterm" name="id394739"></a> -<a class="indexterm" name="id394746"></a> -You may notice that this driver has quite a large number of <span class="guilabel">Dependent files</span> -(there are worse cases, however). Also, strangely, the -<span class="guilabel">Driver File</span> is tagged here -<span class="guilabel">Driver Path</span>. We do not yet have support for the so-called -<span class="application">WIN40</span> architecture installed. This name is used by Microsoft for the Windows -9x/Me platforms. If we want to support these, we need to install the Windows 9x/Me driver files in -addition to those for <span class="application">W32X86</span> (i.e., the Windows NT 2000/XP clients) onto a -Windows PC. This PC can also host the Windows 9x/Me drivers, even if it runs on Windows NT, 2000, or XP. -</p><p> -<a class="indexterm" name="id394790"></a> -<a class="indexterm" name="id394797"></a> -Since the <em class="parameter"><code>[print$]</code></em> share is usually accessible through the <span class="guiicon">Network -Neighborhood</span>, you can also use the UNC notation from Windows Explorer to poke at it. The Windows -9x/Me driver files will end up in subdirectory <code class="filename">0</code> of the <code class="filename">WIN40</code> -directory. The full path to access them is <code class="filename">\\WINDOWSHOST\print$\WIN40\0\</code>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -More recent drivers on Windows 2000 and Windows XP are installed into the <span class="quote">“<span class="quote">3</span>”</span> subdirectory -instead of the <span class="quote">“<span class="quote">2</span>”</span>. The version 2 of drivers, as used in Windows NT, were running in kernel -mode. Windows 2000 changed this. While it still can use the kernel mode drivers (if this is enabled by -the Admin), its native mode for printer drivers is user mode execution. This requires drivers designed -for this purpose. These types of drivers install into the <span class="quote">“<span class="quote">3</span>”</span> subdirectory. -</p></div></div><div class="sect3" title="Obtaining Driver Files from Windows Client [print$] Shares"><div class="titlepage"><div><div><h4 class="title"><a name="id394855"></a>Obtaining Driver Files from Windows Client [print$] Shares</h4></div></div></div><p> -Now we need to collect all the driver files we identified in our previous step. Where do we get them -from? Well, why not retrieve them from the very PC and the same <em class="parameter"><code>[print$]</code></em> -share that we investigated in our last step to identify the files? We can use <code class="literal">smbclient</code> -to do this. We will use the paths and names that were leaked to us by <code class="literal">getdriver</code>. The -listing is edited to include line breaks for readability: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbclient //TURBO_XP/print\$ -U'Danka%xxxx' \ - -c 'cd W32X86/2;mget HD*_de.* hd*ppd Hd*_de.* Hddm*dll HDN*Aux.DLL'</code></strong> - -added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 -Got a positive name query response from 10.160.50.8 ( 10.160.50.8 ) -Domain=[DEVELOPMENT] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] -<code class="prompt">Get file Hddm91c1_de.ABD? </code><strong class="userinput"><code>n</code></strong> -<code class="prompt">Get file Hddm91c1_de.def? </code><strong class="userinput"><code>y</code></strong> -getting file \W32X86\2\Hddm91c1_de.def of size 428 as Hddm91c1_de.def -<code class="prompt">Get file Hddm91c1_de.DLL? </code><strong class="userinput"><code>y</code></strong> -getting file \W32X86\2\Hddm91c1_de.DLL of size 876544 as Hddm91c1_de.DLL -[...] -</pre><p> -After this command is complete, the files are in our current local directory. You probably have noticed -that this time we passed several commands to the <code class="option">-c</code> parameter, separated by semicolons. -This ensures that all commands are executed in sequence on the remote Windows server before -<code class="literal">smbclient</code> exits again. -</p><p> -<a class="indexterm" name="id394953"></a> -Remember to repeat the procedure for the <span class="application">WIN40</span> architecture should you need to -support Windows 9x/Me/XP clients. Remember too, the files for these architectures are in the -<code class="filename">WIN40/0/</code> subdirectory. Once this is complete, we can run <code class="literal">smbclient. . -.put</code> to store the collected files on the Samba server's <em class="parameter"><code>[print$]</code></em> share. -</p></div><div class="sect3" title="Installing Driver Files into [print$]"><div class="titlepage"><div><div><h4 class="title"><a name="id394988"></a>Installing Driver Files into [print$]</h4></div></div></div><p> -We are now going to locate the driver files into the <em class="parameter"><code>[print$]</code></em> share. Remember, the -UNIX path to this share has been defined previously in your <code class="filename">smb.conf</code> file. You also have created -subdirectories for the different Windows client types you want to support. If, for example, your -<em class="parameter"><code>[print$]</code></em> share maps to the UNIX path <code class="filename">/etc/samba/drivers/</code>, your -driver files should now go here: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - For all Windows NT, 2000, and XP clients, <code class="filename">/etc/samba/drivers/W32X86/</code> but - not (yet) into the <code class="filename">2</code> subdirectory. - </p></li><li class="listitem"><p> - For all Windows 95, 98, and Me clients, <code class="filename">/etc/samba/drivers/WIN40/</code> but not - (yet) into the <code class="filename">0</code> subdirectory. - </p></li></ul></div><p> -<a class="indexterm" name="id395062"></a> -<a class="indexterm" name="id395069"></a> -We again use smbclient to transfer the driver files across the network. We specify the same files -and paths as were leaked to us by running <code class="literal">getdriver</code> against the original -<span class="emphasis"><em>Windows</em></span> install. However, now we are going to store the files into a -<span class="emphasis"><em>Samba/UNIX</em></span> print server's <em class="parameter"><code>[print$]</code></em> share. -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbclient //SAMBA-CUPS/print\$ -U'root%xxxx' -c \ - 'cd W32X86; put HDNIS01_de.DLL; \ - put Hddm91c1_de.ppd; put HDNIS01U_de.DLL; \ - put HDNIS01U_de.HLP; put Hddm91c1_de.DLL; \ - put Hddm91c1_de.INI; put Hddm91c1KMMin.DLL; \ - put Hddm91c1_de.dat; put Hddm91c1_de.dat; \ - put Hddm91c1_de.def; put Hddm91c1_de.hre; \ - put Hddm91c1_de.vnd; put Hddm91c1_de.hlp; \ - put Hddm91c1_de_reg.HLP; put HDNIS01Aux.dll; \ - put HDNIS01_de.NTF'</code></strong> - -added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 -Got a positive name query response from 10.160.51.162 ( 10.160.51.162 ) -Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] -putting file HDNIS01_de.DLL as \W32X86\HDNIS01_de.DLL -putting file Hddm91c1_de.ppd as \W32X86\Hddm91c1_de.ppd -putting file HDNIS01U_de.DLL as \W32X86\HDNIS01U_de.DLL -putting file HDNIS01U_de.HLP as \W32X86\HDNIS01U_de.HLP -putting file Hddm91c1_de.DLL as \W32X86\Hddm91c1_de.DLL -putting file Hddm91c1_de.INI as \W32X86\Hddm91c1_de.INI -putting file Hddm91c1KMMin.DLL as \W32X86\Hddm91c1KMMin.DLL -putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat -putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat -putting file Hddm91c1_de.def as \W32X86\Hddm91c1_de.def -putting file Hddm91c1_de.hre as \W32X86\Hddm91c1_de.hre -putting file Hddm91c1_de.vnd as \W32X86\Hddm91c1_de.vnd -putting file Hddm91c1_de.hlp as \W32X86\Hddm91c1_de.hlp -putting file Hddm91c1_de_reg.HLP as \W32X86\Hddm91c1_de_reg.HLP -putting file HDNIS01Aux.dll as \W32X86\HDNIS01Aux.dll -putting file HDNIS01_de.NTF as \W32X86\HDNIS01_de.NTF -</pre><p> -<a class="indexterm" name="id395126"></a> -<a class="indexterm" name="id395133"></a> -<a class="indexterm" name="id395140"></a> -Whew that was a lot of typing! Most drivers are a lot smaller many have only three generic -PostScript driver files plus one PPD. While we did retrieve the files from the <code class="filename">2</code> -subdirectory of the <code class="filename">W32X86</code> directory from the Windows box, we do not put them -(for now) in this same subdirectory of the Samba box. This relocation will automatically be done by the -<code class="literal">adddriver</code> command, which we will run shortly (and do not forget to also put the files -for the Windows 9x/Me architecture into the <code class="filename">WIN40/</code> subdirectory should you need them). -</p></div><div class="sect3" title="smbclient to Confirm Driver Installation"><div class="titlepage"><div><div><h4 class="title"><a name="id395182"></a><code class="literal">smbclient</code> to Confirm Driver Installation</h4></div></div></div><p> -<a class="indexterm" name="id395194"></a> -<a class="indexterm" name="id395201"></a> -For now we verify that our files are there. This can be done with <code class="literal">smbclient</code>, too -(but, of course, you can log in via SSH also and do this through a standard UNIX shell access): -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbclient //SAMBA-CUPS/print\$ -U 'root%xxxx' \ - -c 'cd W32X86; pwd; dir; cd 2; pwd; dir'</code></strong> - added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 -Got a positive name query response from 10.160.51.162 ( 10.160.51.162 ) -Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.8a] - -Current directory is \\SAMBA-CUPS\print$\W32X86\ -. D 0 Sun May 4 03:56:35 2003 -.. D 0 Thu Apr 10 23:47:40 2003 -2 D 0 Sun May 4 03:56:18 2003 -HDNIS01Aux.dll A 15356 Sun May 4 03:58:59 2003 -Hddm91c1KMMin.DLL A 46966 Sun May 4 03:58:59 2003 -HDNIS01_de.DLL A 434400 Sun May 4 03:58:59 2003 -HDNIS01_de.NTF A 790404 Sun May 4 03:56:35 2003 -Hddm91c1_de.DLL A 876544 Sun May 4 03:58:59 2003 -Hddm91c1_de.INI A 101 Sun May 4 03:58:59 2003 -Hddm91c1_de.dat A 5044 Sun May 4 03:58:59 2003 -Hddm91c1_de.def A 428 Sun May 4 03:58:59 2003 -Hddm91c1_de.hlp A 37699 Sun May 4 03:58:59 2003 -Hddm91c1_de.hre A 323584 Sun May 4 03:58:59 2003 -Hddm91c1_de.ppd A 26373 Sun May 4 03:58:59 2003 -Hddm91c1_de.vnd A 45056 Sun May 4 03:58:59 2003 -HDNIS01U_de.DLL A 165888 Sun May 4 03:58:59 2003 -HDNIS01U_de.HLP A 19770 Sun May 4 03:58:59 2003 -Hddm91c1_de_reg.HLP A 228417 Sun May 4 03:58:59 2003 - 40976 blocks of size 262144. 709 blocks available - -Current directory is \\SAMBA-CUPS\print$\W32X86\2\ -. D 0 Sun May 4 03:56:18 2003 -.. D 0 Sun May 4 03:56:35 2003 -ADOBEPS5.DLL A 434400 Sat May 3 23:18:45 2003 -laserjet4.ppd A 9639 Thu Apr 24 01:05:32 2003 -ADOBEPSU.DLL A 109568 Sat May 3 23:18:45 2003 -ADOBEPSU.HLP A 18082 Sat May 3 23:18:45 2003 -PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003 - 40976 blocks of size 262144. 709 blocks available -</pre><p> -<a class="indexterm" name="id395255"></a> -<a class="indexterm" name="id395261"></a> -<a class="indexterm" name="id395268"></a> -Notice that there are already driver files present in the <code class="filename">2</code> subdirectory (probably from a -previous installation). Once the files for the new driver are there too, you are still a few steps away from -being able to use them on the clients. The only thing you could do now is retrieve them from a client just -like you retrieve ordinary files from a file share, by opening print$ in Windows Explorer. But that wouldn't -install them per Point'n'Print. The reason is that Samba does not yet know that these files are something -special, namely <span class="emphasis"><em>printer driver files</em></span>, and it does not know to which print queue(s) these -driver files belong. -</p></div><div class="sect3" title="Running rpcclient with adddriver"><div class="titlepage"><div><div><h4 class="title"><a name="id395292"></a>Running <code class="literal">rpcclient</code> with <code class="literal">adddriver</code></h4></div></div></div><p> -<a class="indexterm" name="id395310"></a> -<a class="indexterm" name="id395317"></a> -<a class="indexterm" name="id395324"></a> -Next, you must tell Samba about the special category of the files you just uploaded into the -<em class="parameter"><code>[print$]</code></em> share. This is done by the <code class="literal">adddriver</code> -command. It will prompt Samba to register the driver files into its internal TDB database files. The -following command and its output has been edited for readability: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \ - "dm9110:HDNIS01_de.DLL: \ - Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \ - NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ - Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ - Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ - HDNIS01Aux.dll,HDNIS01_de.NTF, \ - Hddm91c1_de_reg.HLP' SAMBA-CUPS</code></strong> - -cmd = adddriver "Windows NT x86" \ - "dm9110:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL: \ - HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ - Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ - Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ - HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP" - -Printer Driver dm9110 successfully installed. -</pre><p> -<a class="indexterm" name="id395369"></a> -<a class="indexterm" name="id395376"></a> -<a class="indexterm" name="id395383"></a> -After this step, the driver should be recognized by Samba on the print server. You need to be very -careful when typing the command. Don't exchange the order of the fields. Some changes would lead to -an <code class="computeroutput">NT_STATUS_UNSUCCESSFUL</code> error message. These become obvious. Other -changes might install the driver files successfully but render the driver unworkable. So take care! -Hints about the syntax of the adddriver command are in the man page. -provides a more detailed description, should you need it. -</p></div><div class="sect3" title="Checking adddriver Completion"><div class="titlepage"><div><div><h4 class="title"><a name="id395402"></a>Checking <code class="literal">adddriver</code> Completion</h4></div></div></div><p> -One indication for Samba's recognition of the files as driver files is the <code class="computeroutput">successfully -installed</code> message. Another one is the fact that our files have been moved by the -<code class="literal">adddriver</code> command into the <code class="filename">2</code> subdirectory. You can check this -again with <code class="literal">smbclient</code>: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbclient //SAMBA-CUPS/print\$ -Uroot%xx \ - -c 'cd W32X86;dir;pwd;cd 2;dir;pwd'</code></strong> - added interface ip=10.160.51.162 bcast=10.160.51.255 nmask=255.255.252.0 - Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a] - - Current directory is \\SAMBA-CUPS\print$\W32X86\ - . D 0 Sun May 4 04:32:48 2003 - .. D 0 Thu Apr 10 23:47:40 2003 - 2 D 0 Sun May 4 04:32:48 2003 - 40976 blocks of size 262144. 731 blocks available - - Current directory is \\SAMBA-CUPS\print$\W32X86\2\ - . D 0 Sun May 4 04:32:48 2003 - .. D 0 Sun May 4 04:32:48 2003 - DigiMaster.PPD A 148336 Thu Apr 24 01:07:00 2003 - ADOBEPS5.DLL A 434400 Sat May 3 23:18:45 2003 - laserjet4.ppd A 9639 Thu Apr 24 01:05:32 2003 - ADOBEPSU.DLL A 109568 Sat May 3 23:18:45 2003 - ADOBEPSU.HLP A 18082 Sat May 3 23:18:45 2003 - PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003 - HDNIS01Aux.dll A 15356 Sun May 4 04:32:18 2003 - Hddm91c1KMMin.DLL A 46966 Sun May 4 04:32:18 2003 - HDNIS01_de.DLL A 434400 Sun May 4 04:32:18 2003 - HDNIS01_de.NTF A 790404 Sun May 4 04:32:18 2003 - Hddm91c1_de.DLL A 876544 Sun May 4 04:32:18 2003 - Hddm91c1_de.INI A 101 Sun May 4 04:32:18 2003 - Hddm91c1_de.dat A 5044 Sun May 4 04:32:18 2003 - Hddm91c1_de.def A 428 Sun May 4 04:32:18 2003 - Hddm91c1_de.hlp A 37699 Sun May 4 04:32:18 2003 - Hddm91c1_de.hre A 323584 Sun May 4 04:32:18 2003 - Hddm91c1_de.ppd A 26373 Sun May 4 04:32:18 2003 - Hddm91c1_de.vnd A 45056 Sun May 4 04:32:18 2003 - HDNIS01U_de.DLL A 165888 Sun May 4 04:32:18 2003 - HDNIS01U_de.HLP A 19770 Sun May 4 04:32:18 2003 - Hddm91c1_de_reg.HLP A 228417 Sun May 4 04:32:18 2003 - 40976 blocks of size 262144. 731 blocks available -</pre><p> -Another verification is that the timestamp of the printing TDB files is now updated -(and possibly their file size has increased). -</p></div><div class="sect3" title="Check Samba for Driver Recognition"><div class="titlepage"><div><div><h4 class="title"><a name="id395482"></a>Check Samba for Driver Recognition</h4></div></div></div><p> -<a class="indexterm" name="id395490"></a> -Now the driver should be registered with Samba. We can easily verify this and will do so in a -moment. However, this driver is not yet associated with a particular printer. We may check the driver -status of the files by at least three methods: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id395505"></a> -<a class="indexterm" name="id395512"></a> -<a class="indexterm" name="id395519"></a> -<a class="indexterm" name="id395526"></a> -<a class="indexterm" name="id395532"></a> - From any Windows client browse Network Neighborhood, find the Samba host, and open the Samba - <span class="guiicon">Printers and Faxes</span> folder. Select any printer icon, right-click and select - the printer <span class="guimenuitem">Properties</span>. Click the <span class="guilabel">Advanced</span> - tab. Here is a field indicating the driver for that printer. A drop-down menu allows you to - change that driver (be careful not to do this unwittingly). You can use this list to view - all drivers known to Samba. Your new one should be among them. (Each type of client will - see only its own architecture's list. If you do not have every driver installed for each platform, - the list will differ if you look at it from Windows95/98/ME or Windows NT/2000/XP.) - </p></li><li class="listitem"><p> -<a class="indexterm" name="id395566"></a> - From a Windows 200x/XP client (not Windows NT) browse <span class="guiicon">Network Neighborhood</span>, - search for the Samba server, open the server's <span class="guiicon">Printers</span> folder, - and right-click on the white background (with no printer highlighted). Select <span class="guimenuitem">Server - Properties</span>. On the <span class="guilabel">Drivers</span> tab you will see the new driver - listed. This view enables you to also inspect the list of files belonging to that driver - (this does not work on Windows NT, but only on Windows 2000 and Windows XP; Windows NT does not - provide the <span class="guimenuitem">Drivers</span> tab). An alternative and much quicker method for - Windows 2000/XP to start this dialog is by typing into a DOS box (you must of course adapt the - name to your Samba server instead of <em class="replaceable"><code>SAMBA-CUPS</code></em>): - </p><pre class="screen"> - <strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /s /t2 /n\\<em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> - </pre><p> - </p></li><li class="listitem"><p> - From a UNIX prompt, run this command (or a variant thereof), where - <em class="replaceable"><code>SAMBA-CUPS</code></em> is the name of the Samba host and xxxx represents the - actual Samba password assigned to root: - </p><pre class="screen"> - <strong class="userinput"><code>rpcclient -U'root%xxxx' -c 'enumdrivers' <em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> - </pre><p> - </p><p> - You will see a listing of all drivers Samba knows about. Your new one should be among - them. But it is only listed under the <em class="parameter"><code>[Windows NT x86]</code></em> heading, not under - <em class="parameter"><code>[Windows 4.0]</code></em>, since you didn't install that part. Or did you? - In our example it is named <code class="constant">dm9110</code>. Note that the third column shows the other - installed drivers twice, one time for each supported architecture. Our new driver only shows up - for <span class="application">Windows NT 4.0 or 2000</span>. To have it present for <span class="application">Windows - 95, 98, and Me</span>, you'll have to repeat the whole procedure with the WIN40 architecture - and subdirectory. - </p></li></ul></div></div><div class="sect3" title="Specific Driver Name Flexibility"><div class="titlepage"><div><div><h4 class="title"><a name="id395688"></a>Specific Driver Name Flexibility</h4></div></div></div><p> -<a class="indexterm" name="id395696"></a> -You can name the driver as you like. If you repeat the <code class="literal">adddriver</code> step with the same -files as before but with a different driver name, it will work the same: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -Uroot%xxxx \ - -c 'adddriver "Windows NT x86" \ - "mydrivername:HDNIS01_de.DLL: \ - Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \ - NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ - Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ - Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ - HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP' SAMBA-CUPS - </code></strong> - -cmd = adddriver "Windows NT x86" \ - "mydrivername:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL:\ - HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \ - Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \ - Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \ - HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP" - -Printer Driver mydrivername successfully installed. -</pre><p> -<a class="indexterm" name="id395735"></a> -<a class="indexterm" name="id395742"></a> -<a class="indexterm" name="id395748"></a> -You will be able to bind that driver to any print queue (however, you are responsible that -you associate drivers to queues that make sense with respect to target printers). You cannot run the -<code class="literal">rpcclient</code> <code class="literal">adddriver</code> command repeatedly. Each run consumes the -files you had put into the <em class="parameter"><code>[print$]</code></em> share by moving them into the -respective subdirectories, so you must execute an <code class="literal">smbclient ... put</code> command before -each <code class="literal">rpcclient ... adddriver</code> command. -</p></div><div class="sect3" title="Running rpcclient with setdriver"><div class="titlepage"><div><div><h4 class="title"><a name="id395790"></a>Running <code class="literal">rpcclient</code> with <code class="literal">setdriver</code></h4></div></div></div><p> -<a class="indexterm" name="id395808"></a> -<a class="indexterm" name="id395815"></a> -Samba needs to know which printer owns which driver. Create a mapping of the driver to a printer, and -store this information in Samba's memory, the TDB files. The <code class="literal">rpcclient setdriver</code> command -achieves exactly this: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'root%xxxx' -c 'setdriver dm9110 mydrivername' <em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> - cmd = setdriver dm9110 mydrivername - -Successfully set dm9110 to driver mydrivername. -</pre><p> -Ah, no, I did not want to do that. Repeat, this time with the name I intended: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U'root%xxxx' -c 'setdriver dm9110 dm9110' <em class="replaceable"><code>SAMBA-CUPS</code></em></code></strong> - cmd = setdriver dm9110 dm9110 -Successfully set dm9110 to driver dm9110. -</pre><p> -The syntax of the command is: -</p><pre class="screen"> -<strong class="userinput"><code>rpcclient -U'root%<em class="replaceable"><code>sambapassword</code></em>' -c 'setdriver <em class="replaceable"><code>printername</code></em> \ - <em class="replaceable"><code>drivername</code></em>' <em class="replaceable"><code>SAMBA-Hostname</code></em></code></strong>. -</pre><p> -Now we have done most of the work, but not all of it. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The <code class="literal">setdriver</code> command will only succeed if the printer is already known to Samba. A -bug in 2.2.x prevented Samba from recognizing freshly installed printers. You had to restart Samba, -or at least send an HUP signal to all running smbd processes to work around this: <strong class="userinput"><code>kill -HUP -`pidof smbd`</code></strong>. -</p></div></div></div></div><div class="sect1" title="Client Driver Installation Procedure"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id395921"></a>Client Driver Installation Procedure</h2></div></div></div><p> -As Don Quixote said, <span class="quote">“<span class="quote">The proof of the pudding is in the eating.</span>”</span> The proof -for our setup lies in the printing. So let's install the printer driver onto the client PCs. This is -not as straightforward as it may seem. Read on. -</p><div class="sect2" title="First Client Driver Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id395936"></a>First Client Driver Installation</h3></div></div></div><p> -Especially important is the installation onto the first client PC (for each architectural platform -separately). Once this is done correctly, all further clients are easy to set up and shouldn't need further -attention. What follows is a description for the recommended first procedure. You now work from a client -workstation. You should check that your connection is not unwittingly mapped to <span class="emphasis"><em>bad -user</em></span> nobody. In a DOS box type: -</p><p><strong class="userinput"><code>net use \\<em class="replaceable"><code>SAMBA-SERVER</code></em>\print$ /user:root</code></strong></p><p> -Replace root, if needed, by another valid <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> user as given in -the definition. Should you already be connected as a different user, you will get an error message. There -is no easy way to get rid of that connection, because Windows does not seem to know a concept of logging -off from a share connection (do not confuse this with logging off from the local workstation; that is -a different matter). On Windows NT/200x, you can force a logoff from all smb/cifs connections by restarting the -<span class="emphasis"><em>workstation</em></span> service. You can try to close all Windows file explorers and Internet Explorer for -Windows. As a last resort, you may have to reboot. Make sure there is no automatic reconnection set up. It may be -easier to go to a different workstation and try from there. After you have made sure you are connected -as a printer admin user (you can check this with the <code class="literal">smbstatus</code> command on Samba), -do this from the Windows workstation: -</p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Open <span class="guiicon">Network Neighborhood</span>. - </p></li><li class="step" title="Step 2"><p> - Browse to Samba server. - </p></li><li class="step" title="Step 3"><p> - Open its <span class="guiicon">Printers and Faxes</span> folder. - </p></li><li class="step" title="Step 4"><p> - Highlight and right-click on the printer. - </p></li><li class="step" title="Step 5"><p> - Select <span class="guimenuitem">Connect</span> (for Windows NT4/200x - it is possibly <span class="guimenuitem">Install</span>). - </p></li></ol></div><p> -A new printer (named <em class="replaceable"><code>printername</code></em> on Samba server) should now have -appeared in your <span class="emphasis"><em>local</em></span> Printer folder (check <span class="guimenu">Start</span> -> -<span class="guimenuitem">Settings</span> -> <span class="guimenuitem">Control Panel</span> -> <span class="guiicon">Printers -and Faxes</span>). -</p><p> -<a class="indexterm" name="id396093"></a> -Most likely you are tempted to try to print a test page. After all, you now can open the printer -properties, and on the <span class="guimenu">General</span> tab there is a button offering to do just that. But -chances are that you get an error message saying "<code class="literal">Unable to print Test Page</code>." The -reason might be that there is not yet a valid device mode set for the driver or that the <span class="quote">“<span class="quote">printer -driver data</span>”</span> set is still incomplete. -</p><p> -You must make sure that a valid <em class="parameter"><code>device mode</code></em> is set for the -driver. We now explain what that means. -</p></div><div class="sect2" title="Setting Device Modes on New Printers"><div class="titlepage"><div><div><h3 class="title"><a name="prt-modeset"></a>Setting Device Modes on New Printers</h3></div></div></div><p> -For a printer to be truly usable by a Windows NT/200x/XP client, it must possess: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id396148"></a> - A valid <span class="emphasis"><em>device mode</em></span> generated by the driver for the printer (defining things - like paper size, orientation and duplex settings). - </p></li><li class="listitem"><p> -<a class="indexterm" name="id396164"></a> - A complete set of <span class="emphasis"><em>printer driver data</em></span> generated by the driver. - </p></li></ul></div><p> -<a class="indexterm" name="id396179"></a> -<a class="indexterm" name="id396186"></a> -<a class="indexterm" name="id396193"></a> -<a class="indexterm" name="id396199"></a> -<a class="indexterm" name="id396206"></a> -If either of these is incomplete, the clients can produce less than optimal output at best. In the -worst cases, unreadable garbage or nothing at all comes from the printer, or it produces a harvest of -error messages when attempting to print. Samba stores the named values and all printing-related information in -its internal TDB database files <code class="filename">(ntprinters.tdb</code>, <code class="filename">ntdrivers.tdb</code>, -<code class="filename">printing.tdb</code>, and <code class="filename">ntforms.tdb</code>). -</p><p> -The device mode and the set of printer driver data are basically collections -of settings for all print queue properties, initialized in a sensible way. Device modes and -printer driver data should initially be set on the print server (the Samba host) to healthy -values so the clients can start to use them immediately. How do we set these initial healthy values? -This can be achieved by accessing the drivers remotely from an NT (or 200x/XP) client, as discussed -in the following paragraphs. -</p><p> -Be aware that a valid device mode can only be initiated by a <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> or root -(the reason should be obvious). Device modes can be correctly set only by executing the printer driver program -itself. Since Samba cannot execute this Win32 platform driver code, it sets this field initially to NULL -(which is not a valid setting for clients to use). Fortunately, most drivers automatically generate the -printer driver data that is needed when they are uploaded to the <em class="parameter"><code>[print$]</code></em> share with -the help of the APW or rpcclient. -</p><p> -The generation and setting of a first valid device mode, however, requires some tickling from a client -to set it on the Samba server. The easiest means of doing so is to simply change the page orientation on -the server's printer. This executes enough of the printer driver program on the client for the desired -effect to happen and feeds back the new device mode to our Samba server. You can use the native Windows -NT/200x/XP printer properties page from a Window client for this: -</p><div class="procedure" title="Procedure 21.1. Procedure to Initialize the Printer Driver Settings"><a name="id396280"></a><p class="title"><b>Procedure 21.1. Procedure to Initialize the Printer Driver Settings</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Browse the <span class="guiicon">Network Neighborhood</span>. - </p></li><li class="step" title="Step 2"><p> - Find the Samba server. - </p></li><li class="step" title="Step 3"><p> - Open the Samba server's <span class="guiicon">Printers and Faxes</span> folder. - </p></li><li class="step" title="Step 4"><p> - Highlight the shared printer in question. - </p></li><li class="step" title="Step 5"><p> - Right-click on the printer (you may already be here if you followed the last section's description). - </p></li><li class="step" title="Step 6"><p> - At the bottom of the context menu select <span class="guimenu">Properties</span> (if the menu still offers the - <span class="guimenuitem">Connect</span> entry further above, you - need to click on that one first to achieve the driver - installation, as shown in the last section). - </p></li><li class="step" title="Step 7"><p> - Go to the <span class="guilabel">Advanced</span> tab; click on <span class="guibutton">Printing Defaults</span>. - </p></li><li class="step" title="Step 8"><p> - Change the <span class="guimenuitem">Portrait</span> page setting to <span class="guimenuitem">Landscape</span> (and back). - </p></li><li class="step" title="Step 9"><p> - Make sure to apply changes between swapping the page orientation to cause the change to actually take effect. - </p></li><li class="step" title="Step 10"><p> - While you are at it, you may also want to set the desired printing defaults here, which then apply to all future - client driver installations. - </p></li></ol></div><p> -This procedure executes the printer driver program on the client platform and feeds back the correct -device mode to Samba, which now stores it in its TDB files. Once the driver is installed on the client, -you can follow the analogous steps by accessing the <span class="emphasis"><em>local</em></span> <span class="guiicon">Printers</span> -folder, too, if you are a Samba printer admin user. From now on, printing should work as expected. -</p><p> -<a class="indexterm" name="id396424"></a> -Samba includes a service-level parameter name <em class="parameter"><code>default devmode</code></em> for generating a default -device mode for a printer. Some drivers function well with Samba's default set of properties. Others -may crash the client's spooler service. So use this parameter with caution. It is always better to have -the client generate a valid device mode for the printer and store it on the server for you. -</p></div><div class="sect2" title="Additional Client Driver Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id396442"></a>Additional Client Driver Installation</h3></div></div></div><p> -<a class="indexterm" name="id396450"></a> -Every additional driver may be installed in the same way as just described. Browse <code class="literal">Network -Neighborhood</code>, open the <span class="guiicon">Printers</span> folder on Samba server, right-click on -<span class="guiicon">Printer</span>, and choose <span class="guimenuitem">Connect...</span>. Once this completes (should be -not more than a few seconds, but could also take a minute, depending on network conditions), you should find -the new printer in your client workstation local <span class="guiicon">Printers and Faxes</span> folder. -</p><p> -You can also open your local <span class="guiicon">Printers and Faxes</span> folder by -using this command on Windows 200x/XP Professional workstations: -</p><pre class="screen"> -<strong class="userinput"><code>rundll32 shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder</code></strong> -</pre><p> -or this command on Windows NT 4.0 workstations: -<a class="indexterm" name="id396511"></a> -</p><pre class="screen"> -<strong class="userinput"><code>rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2</code></strong> -</pre><p> -</p><p> -You can enter the commands either inside a <span class="guilabel">DOS box</span> window or in the <span class="guimenuitem">Run -command...</span> field from the <span class="guimenu">Start</span> menu. -</p></div><div class="sect2" title="Always Make First Client Connection as root or “printer admin”"><div class="titlepage"><div><div><h3 class="title"><a name="id396553"></a>Always Make First Client Connection as root or <span class="quote">“<span class="quote">printer admin</span>”</span></h3></div></div></div><p> -After you installed the driver on the Samba server (in its <em class="parameter"><code>[print$]</code></em> share), you -should always make sure that your first client installation completes correctly. Make it a habit for yourself -to build the very first connection from a client as <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a>. This is to make -sure that: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - A first valid <span class="emphasis"><em>device mode</em></span> is really initialized (see above <a class="link" href="classicalprinting.html#prt-modeset" title="Setting Device Modes on New Printers">Setting Device Modes on New Printers</a>) for more explanation details). - </p></li><li class="listitem"><p> - The default print settings of your printer for all further client installations are as you want them. - </p></li></ul></div><p> -Do this by changing the orientation to landscape, click on <span class="guiicon">Apply</span>, and then change it -back again. Next, modify the other settings (for example, you do not want the default media size set to -<span class="guiicon">Letter</span> when you are all using <span class="guiicon">A4</span>, right? You may want to set the -printer for <span class="guiicon">duplex</span> as the default, and so on). -</p><p> -<a class="indexterm" name="id396641"></a> -To connect as root to a Samba printer, try this command from a Windows 200x/XP DOS box command prompt: -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /p /t3 /n - \\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printername</code></em>"</code></strong> -</pre><p> -</p><p> -You will be prompted for <code class="constant">root</code>'s Samba password; type it, wait a few seconds, click on -<span class="guibutton">Printing Defaults</span>, and proceed to set the job options that should be used as defaults -by all clients. Alternatively, instead of root you can name one other member of the <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> from the setting. -</p><p> -Now all the other users downloading and installing the driver the same way (using -<code class="literal">Point'n'Print</code>) will have the same defaults set for them. If you miss this step, you'll get a -lot of help desk calls from your users, but maybe you like to talk to people. -</p></div></div><div class="sect1" title="Other Gotchas"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id396711"></a>Other Gotchas</h2></div></div></div><p> -Your driver is installed. It is now ready for Point'n'Print installation by the clients. You may have tried to -download and use it on your first client machine, but wait. Let's make sure you are acquainted first with a -few tips and tricks you may find useful. For example, suppose you did not set the defaults on the printer, as -advised in the preceding paragraphs. Your users complain about various issues (such as, <span class="quote">“<span class="quote">We need to set -the paper size for each job from Letter to A4 and it will not store it</span>”</span>). -</p><div class="sect2" title="Setting Default Print Options for Client Drivers"><div class="titlepage"><div><div><h3 class="title"><a name="id396728"></a>Setting Default Print Options for Client Drivers</h3></div></div></div><p> -The last sentence might be viewed with mixed feelings by some users and Admins. They have struggled for hours -and could not arrive at a point where their settings seemed to be saved. It is not their fault. The confusing -thing is that in the multitabbed dialog that pops up when you right-click on the printer name and select -<span class="guimenuitem">Properties</span>, you can arrive at two dialogs that appear identical, each claiming that -they help you to set printer options in three different ways. Here is the definitive answer to the Samba -default driver setting FAQ: -</p><p title="“I can not set and save default print options for all users on Windows 200x/XP. Why not?”"><b><span class="quote">“<span class="quote">I can not set and save default print options -for all users on Windows 200x/XP. Why not?</span>”</span>. </b> -How are you doing it? I bet the wrong way. (It is not easy to find out, though.) There are three different -ways to bring you to a dialog that seems to set everything. All three dialogs look the same, but only one of -them does what you intend. You need to be Administrator or Print Administrator to do this for all users. Here -is how I reproduce it in an XP Professional: -</p><div class="orderedlist"><ol class="orderedlist" type="A"><li class="listitem"><p>The first <span class="quote">“<span class="quote">wrong</span>”</span> way: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Open the <span class="guiicon">Printers</span> folder.</p></li><li class="listitem"><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on cupshost</em></span>) and - select in context menu <span class="guimenu">Printing Preferences...</span>.</p></li><li class="listitem"><p>Look at this dialog closely and remember what it looks like.</p></li></ol></div></li><li class="listitem"><p>The second <span class="quote">“<span class="quote">wrong</span>”</span> way: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Open the <span class="guimenu">Printers</span> folder.</p></li><li class="listitem"><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on - cupshost</em></span>) and select in the context menu - <span class="guimenuitem">Properties</span></p></li><li class="listitem"><p>Click on the <span class="guilabel">General</span> - tab.</p></li><li class="listitem"><p>Click on the <span class="guibutton">Printing - Preferences...</span> button.</p></li><li class="listitem"><p>A new dialog opens. Keep this dialog open and go back - to the parent dialog.</p></li></ol></div><p> - </p></li><li class="listitem"><p> - The third and correct way (should you do this from the beginning, just carry out steps 1 - and 2 from the second method above): - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Click on the <span class="guilabel">Advanced</span> - tab. (If everything is <span class="quote">“<span class="quote">grayed out,</span>”</span> then you are not logged - in as a user with enough privileges.)</p></li><li class="listitem"><p>Click on the <span class="guibutton">Printing - Defaults</span> button.</p></li><li class="listitem"><p>On any of the two new tabs, - click on the - <span class="guilabel">Advanced</span> button.</p></li><li class="listitem"><p>A new dialog opens. Compare - this one to the other. Are they - identical when you compare one from - <span class="quote">“<span class="quote">B.5</span>”</span> and one from A.3?</p></li></ol></div></li></ol></div><p title="“I can not set and save default print options for all users on Windows 200x/XP. Why not?”"> -Do you see any difference in the two settings dialogs? I do not either. However, only the last one, which you -arrived at with steps C.1 through C.6 will permanently save any settings which will then become the defaults -for new users. If you want all clients to have the same defaults, you need to conduct these steps as -administrator (<a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a>) before a client downloads the driver (the clients can -later set their own per-user defaults by following procedures A or B above). Windows 200x/XP allow per-user -default settings and the ones the administrator gives them before they set up their own. The parents of the -identical-looking dialogs have a slight difference in their window names; one is called -<code class="computeroutput">Default Print Values for Printer Foo on Server Bar</code> (which is the one you -need) and the other is called <span class="quote">“<span class="quote"><code class="computeroutput">Print Settings for Printer Foo on Server -Bar</code></span>”</span>. The last one is the one you arrive at when you right-click on the printer and -select <span class="guimenuitem">Print Settings...</span>. This is the one that you were taught to use back in the -days of Windows NT, so it is only natural to try the same way with Windows 200x/XP. You would not dream that -there is now a different path to arrive at an identical-looking, but functionally different, dialog to set -defaults for all users. -</p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Try (on Windows 200x/XP) to run this command (as a user with the right privileges): -<a class="indexterm" name="id396994"></a> -</p><p><strong class="userinput"><code> -rundll32 printui.dll,PrintUIEntry /p /t3 /n\\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printersharename</code></em> -</code></strong></p><p> -To see the tab with the <span class="guilabel">Printing Defaults</span> button (the one you need), also run this command: -</p><p><strong class="userinput"><code> -rundll32 printui.dll,PrintUIEntry /p /t0 /n\\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printersharename</code></em> -</code></strong></p><p> -To see the tab with the <span class="guilabel">Printing Preferences</span> -button (the one that does not set systemwide defaults), you can -start the commands from inside a DOS box or from <span class="guimenu">Start</span> -> <span class="guimenuitem">Run</span>. -</p></div></div><div class="sect2" title="Supporting Large Numbers of Printers"><div class="titlepage"><div><div><h3 class="title"><a name="id397064"></a>Supporting Large Numbers of Printers</h3></div></div></div><p> -One issue that has arisen during the recent development phase of Samba is the need to support driver -downloads for hundreds of printers. Using Windows NT APW for this task is somewhat awkward (to say the least). If -you do not want to acquire RSS pains from the printer installation clicking orgy alone, you need -to think about a non-interactive script. -</p><p> -If more than one printer is using the same driver, the <code class="literal">rpcclient setdriver</code> -command can be used to set the driver associated with an installed queue. If the driver is uploaded to -<em class="parameter"><code>[print$]</code></em> once and registered with the printing TDBs, it can be used by -multiple print queues. In this case, you just need to repeat the <code class="literal">setprinter</code> subcommand of -<code class="literal">rpcclient</code> for every queue (without the need to conduct the <code class="literal">adddriver</code> -repeatedly). The following is an example of how this can be accomplished: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumdrivers'</code></strong> - cmd = enumdrivers - - [Windows NT x86] - Printer Driver Info 1: - Driver Name: [infotec IS 2075 PCL 6] - - Printer Driver Info 1: - Driver Name: [DANKA InfoStream] - - Printer Driver Info 1: - Driver Name: [Heidelberg Digimaster 9110 (PS)] - - Printer Driver Info 1: - Driver Name: [dm9110] - - Printer Driver Info 1: - Driver Name: [mydrivername] - - [....] -</pre><p> - -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumprinters'</code></strong> - cmd = enumprinters - flags:[0x800000] - name:[\\SAMBA-CUPS\dm9110] - description:[\\SAMBA-CUPS\dm9110,,110ppm HiVolume DANKA Stuttgart] - comment:[110 ppm HiVolume DANKA Stuttgart] - [....] -</pre><p> - -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c \ - 'setdriver <em class="replaceable"><code>dm9110</code></em> "<em class="replaceable"><code>Heidelberg Digimaster 9110 (PS)</code></em>"'</code></strong> - cmd = setdriver dm9110 Heidelberg Digimaster 9110 (PPD) - Successfully set dm9110 to driver Heidelberg Digimaster 9110 (PS). -</pre><p> - -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumprinters'</code></strong> - cmd = enumprinters - flags:[0x800000] - name:[\\SAMBA-CUPS\dm9110] - description:[\\SAMBA-CUPS\dm9110,Heidelberg Digimaster 9110 (PS),\ - 110ppm HiVolume DANKA Stuttgart] - comment:[110ppm HiVolume DANKA Stuttgart] - [....] -</pre><p> - -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'setdriver <em class="replaceable"><code>dm9110</code></em> <em class="replaceable"><code>mydrivername</code></em>'</code></strong> - cmd = setdriver dm9110 mydrivername - Successfully set dm9110 to mydrivername. -</pre><p> - -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient <em class="replaceable"><code>SAMBA-CUPS</code></em> -U root%<em class="replaceable"><code>secret</code></em> -c 'enumprinters'</code></strong> - cmd = enumprinters - flags:[0x800000] - name:[\\SAMBA-CUPS\dm9110] - description:[\\SAMBA-CUPS\dm9110,mydrivername,\ - 110ppm HiVolume DANKA Stuttgart] - comment:[110ppm HiVolume DANKA Stuttgart] - [....] -</pre><p> -It may not be easy to recognize that the first call to <code class="literal">enumprinters</code> showed the -<span class="quote">“<span class="quote">dm9110</span>”</span> printer with an empty string where the driver should have been listed (between -the two commas in the description field). After the <code class="literal">setdriver</code> command -succeeds, all is well. -</p></div><div class="sect2" title="Adding New Printers with the Windows NT APW"><div class="titlepage"><div><div><h3 class="title"><a name="id397300"></a>Adding New Printers with the Windows NT APW</h3></div></div></div><p> -By default, Samba exhibits all printer shares defined in <code class="filename">smb.conf</code> in the <span class="guiicon">Printers</span> -folder. Also located in this folder is the Windows NT Add Printer Wizard icon. The APW will be shown only if: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - The connected user is able to successfully execute an <code class="literal">OpenPrinterEx(\\server)</code> with - administrative privileges (i.e., root or <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a>). - </p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Try this from a Windows 200x/XP DOS box command prompt: - </p><p><strong class="userinput"><code> - runas /netonly /user:root rundll32 printui.dll,PrintUIEntry /p /t0 /n \\<em class="replaceable"><code>SAMBA-SERVER</code></em>\<em class="replaceable"><code>printersharename</code></em> - </code></strong></p><p> - Click on <span class="guibutton">Printing Preferences</span>. - </p></div></li><li class="listitem"><p>... contains the setting - <a class="link" href="smb.conf.5.html#SHOWADDPRINTERWIZARD" target="_top">show add printer wizard = yes</a> (the - default).</p></li></ul></div><p> -The APW can do various things: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Upload a new driver to the Samba <em class="parameter"><code>[print$]</code></em> share. - </p></li><li class="listitem"><p> - Associate an uploaded driver with an existing (but still driverless) print queue. - </p></li><li class="listitem"><p> - Exchange the currently used driver for an existing print queue with one that has been uploaded before. - </p></li><li class="listitem"><p> - Add an entirely new printer to the Samba host (only in conjunction with a working - <a class="link" href="smb.conf.5.html#ADDPRINTERCOMMAND" target="_top">add printer command</a>. A corresponding - <a class="link" href="smb.conf.5.html#DELETEPRINTERCOMMAND" target="_top">delete printer command</a> for removing entries from the - <span class="guiicon">Printers</span> folder may also be provided). - </p></li></ul></div><p> -The last one (add a new printer) requires more effort than the previous ones. To use the APW to successfully -add a printer to a Samba server, the <a class="link" href="smb.conf.5.html#ADDPRINTERCOMMAND" target="_top">add printer command</a> must have a defined value. -The program hook must successfully add the printer to the UNIX print system (i.e., to -<code class="filename">/etc/printcap</code>, <code class="filename">/etc/cups/printers.conf</code> or other appropriate files) -and to <code class="filename">smb.conf</code> if necessary. -</p><p> -When using the APW from a client, if the named printer share does not exist, smbd will execute the -<a class="link" href="smb.conf.5.html#ADDPRINTERCOMMAND" target="_top">add printer command</a> and reparse to attempt to locate the new printer share. If the -share is still not defined, an error of "<span class="errorname">Access Denied"</span> is returned to the client. The -<a class="link" href="smb.conf.5.html#ADDPRINTERCOMMAND" target="_top">add printer command</a> is executed under the context of the connected user, not -necessarily a root account. A <a class="link" href="smb.conf.5.html#MAPTOGUEST" target="_top">map to guest = bad user</a> may have connected -you unwittingly under the wrong privilege. You should check it by using the <code class="literal">smbstatus</code> -command. -</p></div><div class="sect2" title="Error Message: “Cannot connect under a different Name”"><div class="titlepage"><div><div><h3 class="title"><a name="id397538"></a>Error Message: <span class="quote">“<span class="quote">Cannot connect under a different Name</span>”</span></h3></div></div></div><p> -Once you are connected with the wrong credentials, there is no means to reverse the situation other than -to close all Explorer windows, and perhaps reboot. -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id397556"></a> - The <code class="literal">net use \\SAMBA-SERVER\sharename /user:root</code> gives you an error message: - <span class="quote">“<span class="quote">Multiple connections to a server or a shared resource by the same user utilizing - several user names are not allowed. Disconnect all previous connections to the server, - esp. the shared resource, and try again.</span>”</span> - </p></li><li class="listitem"><p> - Every attempt to <span class="quote">“<span class="quote">connect a network drive</span>”</span> to <code class="filename">\\SAMBASERVER\\print$</code> - to <code class="constant">z:</code> is countered by the pertinacious message: <span class="quote">“<span class="quote">This - network folder is currently connected under different credentials (username and password). - Disconnect first any existing connection to this network share in order to connect again under - a different username and password</span>”</span>. - </p></li></ul></div><p> -So you close all connections. You try again. You get the same message. You check from the Samba side, using -<code class="literal">smbstatus</code>. Yes, there are more connections. You kill them all. The client still gives you -the same error message. You watch the smbd.log file on a high debug level and try reconnect. Same error -message, but not a single line in the log. You start to wonder if there was a connection attempt at all. You -run ethereal and tcpdump while you try to connect. Result: not a single byte goes on the wire. Windows still -gives the error message. You close all Explorer windows and start it again. You try to connect and -this times it works! Windows seems to cache connection information somewhere and does not keep it up to date -(if you are unlucky, you might need to reboot to get rid of the error message). -</p><p> -The easiest way to forcefully terminate all connections from your client to a server is by executing: -</p><pre class="screen"> -<code class="prompt">C:\> </code> net use * /delete -</pre><p> -This will also disconnect all mapped drives and will allow you create fresh connection as required. -</p></div><div class="sect2" title="Take Care When Assembling Driver Files"><div class="titlepage"><div><div><h3 class="title"><a name="id397636"></a>Take Care When Assembling Driver Files</h3></div></div></div><p> -You need to be extremely careful when you take notes about the files belonging to a particular -driver. Don't confuse the files for driver version <span class="quote">“<span class="quote">0</span>”</span> (for Windows 9x/Me, going into -<code class="filename">[print$]/WIN/0/</code>), driver version <code class="filename">2</code> (kernel mode driver for Windows NT, -going into <code class="filename">[print$]/W32X86/2/</code>; may be used on Windows 200x/XP also), and -driver version <span class="quote">“<span class="quote">3</span>”</span> (non-kernel mode driver going into <code class="filename">[print$]/W32X86/3/</code>; -cannot be used on Windows NT). Quite often these different driver versions contain -files that have the same name but actually are very different. If you look at them from -the Windows Explorer (they reside in <code class="filename">%WINDOWS%\system32\spool\drivers\W32X86\</code>), -you will probably see names in capital letters, while an <code class="literal">enumdrivers</code> command from Samba -would show mixed or lowercase letters, so it is easy to confuse them. If you install them manually using -<code class="literal">rpcclient</code> and subcommands, you may even succeed without an error message. Only later, -when you try install on a client, you will encounter error messages like <code class="computeroutput">This server -has no appropriate driver for the printer</code>. -</p><p> -Here is an example. You are invited to look closely at the various files, compare their names and -their spelling, and discover the differences in the composition of the version 2 and 3 sets. Note: the -version 0 set contained 40 <em class="parameter"><code>Dependentfiles</code></em>, so I left it out for space reasons: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>rpcclient -U 'Administrator%<em class="replaceable"><code>secret</code></em>' -c 'enumdrivers 3' 10.160.50.8 </code></strong> - - Printer Driver Info 3: - Version: [3] - Driver Name: [Canon iR8500 PS3] - Architecture: [Windows NT x86] - Driver Path: [\\10.160.50.8\print$\W32X86\3\cns3g.dll] - Datafile: [\\10.160.50.8\print$\W32X86\3\iR8500sg.xpd] - Configfile: [\\10.160.50.8\print$\W32X86\3\cns3gui.dll] - Helpfile: [\\10.160.50.8\print$\W32X86\3\cns3g.hlp] - - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aucplmNT.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\ucs32p.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\tnl32.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussdrv.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cnspdc.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussapi.dat] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3407.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\CnS3G.cnt] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBAPI.DLL] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBIPC.DLL] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcview.exe] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcdspl.exe] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcedit.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm.exe] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcspl.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cfine32.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcr407.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\Cpcqm407.hlp] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm407.cnt] - Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3ggr.dll] - - Monitorname: [] - Defaultdatatype: [] - - Printer Driver Info 3: - Version: [2] - Driver Name: [Canon iR5000-6000 PS3] - Architecture: [Windows NT x86] - Driver Path: [\\10.160.50.8\print$\W32X86\2\cns3g.dll] - Datafile: [\\10.160.50.8\print$\W32X86\2\IR5000sg.xpd] - Configfile: [\\10.160.50.8\print$\W32X86\2\cns3gui.dll] - Helpfile: [\\10.160.50.8\print$\W32X86\2\cns3g.hlp] - - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\AUCPLMNT.DLL] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussdrv.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cnspdc.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussapi.dat] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3407.dll] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\CnS3G.cnt] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBAPI.DLL] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBIPC.DLL] - Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3gum.dll] - - Monitorname: [CPCA Language Monitor2] - Defaultdatatype: [] - -</pre><p> -If we write the <span class="quote">“<span class="quote">version 2</span>”</span> files and the <span class="quote">“<span class="quote">version 3</span>”</span> files -into different text files and compare the result, we see this -picture: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>sdiff 2-files 3-files</code></strong> - - - cns3g.dll cns3g.dll - iR8500sg.xpd iR8500sg.xpd - cns3gui.dll cns3gui.dll - cns3g.hlp cns3g.hlp - AUCPLMNT.DLL | aucplmNT.dll - > ucs32p.dll - > tnl32.dll - aussdrv.dll aussdrv.dll - cnspdc.dll cnspdc.dll - aussapi.dat aussapi.dat - cns3407.dll cns3407.dll - CnS3G.cnt CnS3G.cnt - NBAPI.DLL NBAPI.DLL - NBIPC.DLL NBIPC.DLL - cns3gum.dll | cpcview.exe - > cpcdspl.exe - > cpcqm.exe - > cpcspl.dll - > cfine32.dll - > cpcr407.dll - > Cpcqm407.hlp - > cpcqm407.cnt - > cns3ggr.dll - -</pre><p> - -Do not be fooled! Driver files for each version with identical -names may be different in their content, as you can see from this size -comparison: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>for i in cns3g.hlp cns3gui.dll cns3g.dll; do \ - smbclient //10.160.50.8/print\$ -U 'Administrator%xxxx' \ - -c "cd W32X86/3; dir $i; cd .. ; cd 2; dir $i"; \ - done</code></strong> - - CNS3G.HLP A 122981 Thu May 30 02:31:00 2002 - CNS3G.HLP A 99948 Thu May 30 02:31:00 2002 - - CNS3GUI.DLL A 1805824 Thu May 30 02:31:00 2002 - CNS3GUI.DLL A 1785344 Thu May 30 02:31:00 2002 - - CNS3G.DLL A 1145088 Thu May 30 02:31:00 2002 - CNS3G.DLL A 15872 Thu May 30 02:31:00 2002 -</pre><p> -In my example were even more differences than shown here. Conclusion: you must be careful to select the -correct driver files for each driver version. Don't rely on the names alone, and don't interchange files -belonging to different driver versions. -</p></div><div class="sect2" title="Samba and Printer Ports"><div class="titlepage"><div><div><h3 class="title"><a name="id397860"></a>Samba and Printer Ports</h3></div></div></div><p> -<a class="indexterm" name="id397868"></a> -<a class="indexterm" name="id397874"></a> -<a class="indexterm" name="id397881"></a> -<a class="indexterm" name="id397888"></a> -Windows NT/2000 print servers associate a port with each printer. These normally take the form of -<code class="filename">LPT1:</code>, <code class="filename">COM1:</code>, <code class="filename">FILE:</code>, and so on. Samba must also -support the concept of ports associated with a printer. By default, only one printer port, named <span class="quote">“<span class="quote">Samba -Printer Port</span>”</span>, exists on a system. Samba does not really need such a <span class="quote">“<span class="quote">port</span>”</span> in order to -print; rather it is a requirement of Windows clients. They insist on being told about an available port when -they request this information; otherwise, they throw an error message at you. So Samba fakes the port -information to keep the Windows clients happy. -</p><p> -<a class="indexterm" name="id397927"></a> -Samba does not support the concept of <code class="constant">Printer Pooling</code> internally either. Printer -pooling assigns a logical printer to multiple ports as a form of load balancing or failover. -</p><p> -If you require multiple ports to be defined for some reason or another (my users and my boss should not know -that they are working with Samba), configure the <a class="link" href="smb.conf.5.html#ENUMPORTSCOMMAND" target="_top">enumports command</a>, -which can be used to define an external program that generates a listing of ports on a system. -</p></div><div class="sect2" title="Avoiding Common Client Driver Misconfiguration"><div class="titlepage"><div><div><h3 class="title"><a name="id397959"></a>Avoiding Common Client Driver Misconfiguration</h3></div></div></div><p> -So now the printing works, but there are still problems. Most jobs print well, some do not print at -all. Some jobs have problems with fonts, which do not look good. Some jobs print fast and some -are dead-slow. We cannot cover it all, but we want to encourage you to read the brief paragraph about -<span class="quote">“<span class="quote">Avoiding the Wrong PostScript Driver Settings</span>”</span> in <a class="link" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing -Chapter</a>, <a class="link" href="CUPS-printing.html#cups-avoidps1" title="Avoiding Critical PostScript Driver Settings on the Client">Avoiding Critical PostScript Driver Settings on the -Client</a>. -</p></div></div><div class="sect1" title="The Imprints Toolset"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id397992"></a>The Imprints Toolset</h2></div></div></div><p> -<a class="indexterm" name="id397999"></a> -The Imprints tool set provides a UNIX equivalent of the Windows NT APW. For complete information, please -refer to the <a class="ulink" href="http://imprints.sourceforge.net/" target="_top">Imprints</a> Web site as well as the -documentation included with the Imprints source distribution. This section provides only a brief introduction -to the features of Imprints. -</p><p> -Unfortunately, the Imprints toolset is no longer maintained. As of December 2000, the project is in -need of a new maintainer. The most important skill to have is Perl coding and an interest in MS-RPC-based -printing used in Samba. If you wish to volunteer, please coordinate your efforts on the Samba technical -mailing list. The toolset is still in usable form, but only for a series of older printer models where -there are prepared packages to use. Packages for more up-to-date print devices are needed if Imprints -should have a future. Information regarding the Imprints toolset can be obtained from the <a class="ulink" href="http://imprints.sourceforge.net/" target="_top">Imprints</a> home page. -</p><div class="sect2" title="What Is Imprints?"><div class="titlepage"><div><div><h3 class="title"><a name="id398030"></a>What Is Imprints?</h3></div></div></div><p> -Imprints is a collection of tools for supporting these goals: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Providing a central repository of information regarding Windows NT and 95/98 printer driver packages. - </p></li><li class="listitem"><p> - Providing the tools necessary for creating the Imprints printer driver packages. - </p></li><li class="listitem"><p> - Providing an installation client that will obtain printer drivers from a central Internet (or intranet) Imprints Server - repository and install them on remote Samba and Windows NT4 print servers. - </p></li></ul></div></div><div class="sect2" title="Creating Printer Driver Packages"><div class="titlepage"><div><div><h3 class="title"><a name="id398060"></a>Creating Printer Driver Packages</h3></div></div></div><p> -The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt, -included with the Samba distribution for more information). In short, an Imprints driver package -is a gzipped tarball containing the driver files, related INF files, and a control file needed by the -installation client. -</p></div><div class="sect2" title="The Imprints Server"><div class="titlepage"><div><div><h3 class="title"><a name="id398072"></a>The Imprints Server</h3></div></div></div><p> -The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each -printer entry in the database has an associated URL for the actual downloading of the package. Each -package is digitally signed via GnuPG, which can be used to verify that -the package downloaded is actually -the one referred in the Imprints database. It is strongly recommended that this security check -not be disabled. -</p></div><div class="sect2" title="The Installation Client"><div class="titlepage"><div><div><h3 class="title"><a name="id398086"></a>The Installation Client</h3></div></div></div><p> -More information regarding the Imprints installation client is available from the documentation file -<code class="filename">Imprints-Client-HOWTO.ps</code> that is included with the Imprints source package. The Imprints -installation client comes in two forms: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A set of command-line Perl scripts.</p></li><li class="listitem"><p>A GTK+-based graphical interface to the command-line Perl scripts.</p></li></ul></div><p> -The installation client (in both forms) provides a means of querying the Imprints database server for -a matching list of known printer model names as well as a means to download and install the drivers on -remote Samba and Windows NT print servers. -</p><p> -The basic installation process is in four steps, and Perl code is wrapped around smbclient and rpcclient. -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - For each supported architecture for a given driver: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>rpcclient: Get the appropriate upload directory on the remote server.</p></li><li class="listitem"><p>smbclient: Upload the driver files.</p></li><li class="listitem"><p>rpcclient: Issues an AddPrinterDriver() MS-RPC.</p></li></ol></div><p> - </p></li><li class="listitem"><p>rpcclient: Issues an AddPrinterEx() MS-RPC to actually create the printer.</p></li></ul></div><p> -One of the problems encountered when implementing the Imprints tool set was the namespace issues between -various supported client architectures. For example, Windows NT includes a driver named <span class="quote">“<span class="quote">Apple LaserWriter -II NTX v51.8</span>”</span>, and Windows 95 calls its version of this driver <span class="quote">“<span class="quote">Apple LaserWriter II NTX</span>”</span>. -</p><p> -The problem is how to know what client drivers have been uploaded for a printer. An astute reader will -remember that the Windows NT Printer Properties dialog only includes space for one printer driver name. A -quick look in the Windows NT 4.0 system registry at: -</p><p><code class="filename"> - HKLM\System\CurrentControlSet\Control\Print\Environment -</code></p><p> -will reveal that Windows NT always uses the NT driver name. This is okay because Windows NT always requires -that at least the Windows NT version of the printer driver is present. Samba does not have the -requirement internally; therefore, <span class="quote">“<span class="quote">How can you use the NT driver name if it has not already been installed?</span>”</span> -</p><p> -The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and -95/98 printer drivers and that the NT driver is installed first. -</p></div></div><div class="sect1" title="Adding Network Printers without User Interaction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398202"></a>Adding Network Printers without User Interaction</h2></div></div></div><p> -The following MS Knowledge Base article may be of some help if you need to handle Windows 2000 clients: -<span class="emphasis"><em>How to Add Printers with No User Interaction in Windows 2000,</em></span> (<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;189105" target="_top">Microsoft KB 189105</a>). It also -applies to Windows XP Professional clients. The ideas sketched out in this section are inspired by this -article, which describes a command-line method that can be applied to install network and local printers and -their drivers. This is most useful if integrated in Logon Scripts. You can see what options are available by -typing in the command prompt (<code class="literal">DOS box</code>): -</p><p><strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /?</code></strong></p><p> -A window pops up that shows you all of the command-line switches available. An extensive list of examples -is also provided. This is only for Windows 200x/XP; it does not work on Windows NT. Windows NT probably has -some other tools in the respective Resource Kit. Here is a suggestion about what a client logon script -might contain, with a short explanation of what the lines actually do (it works if 200x/XP Windows -clients access printers via Samba, and works for Windows-based print servers too): -</p><pre class="screen"> -<strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /dn /n "\\cupsserver\infotec2105-IPDS" /q</code></strong> -<strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /in /n "\\cupsserver\infotec2105-PS"</code></strong> -<strong class="userinput"><code>rundll32 printui.dll,PrintUIEntry /y /n "\\cupsserver\infotec2105-PS"</code></strong> -</pre><p> -Here is a list of the used command-line parameters: -</p><div class="variablelist"><dl><dt><span class="term">/dn</span></dt><dd><p>deletes a network printer.</p></dd><dt><span class="term">/q</span></dt><dd><p>quiet modus.</p></dd><dt><span class="term">/n</span></dt><dd><p>names a printer.</p></dd><dt><span class="term">/in</span></dt><dd><p>adds a network printer connection.</p></dd><dt><span class="term">/y</span></dt><dd><p>sets printer as default printer.</p></dd></dl></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Line 1 deletes a possibly existing previous network printer <span class="emphasis"><em>infotec2105-IPDS</em></span> - (which had used native Windows drivers with LPRng that were removed from the server that was - converted to CUPS). The <code class="literal">/q</code> at the end prevents confirm - or error dialog boxes from popping up. They should not be presented to the user logging on. - </p></li><li class="listitem"><p> - Line 2 adds the new printer - <span class="emphasis"><em>infotec2105-PS</em></span> (which actually is the same - physical device but is now run by the new CUPS printing system and associated with the - CUPS/Adobe PS drivers). The printer and its driver must have been added to Samba prior to - the user logging in (e.g., by a procedure as discussed earlier in this chapter or by running - <code class="literal">cupsaddsmb</code>). The driver is now autodownloaded to the client PC where the - user is about to log in. - </p></li><li class="listitem"><p> - Line 3 sets the default printer to this new network printer (there might be several other - printers installed with this same method, and some may be local as well, so we decide for a - default printer). The default printer selection may, of course, be different for different users. - </p></li></ul></div><p> -The second line only works if the printer <span class="emphasis"><em>infotec2105-PS</em></span> has an already working -print queue on the <code class="constant">cupsserver</code> and if the -printer drivers have been successfully uploaded -(via the <code class="literal">APW</code>, <code class="literal">smbclient/rpcclient</code>, or <code class="literal">cupsaddsmb</code>) -into the <em class="parameter"><code>[print$]</code></em> driver repository of Samba. Some Samba versions -prior to version 3.0 required a restart of smbd after the printer install and the driver upload; -otherwise the script (or any other client driver download) would fail. -</p><p> -Since there is no easy way to test for the existence of an installed network printer from the logon script, -do not bother checking. Just allow the de-installation/re-installation to occur every time a user logs in; -it's really quick anyway (1 to 2 seconds). -</p><p> -The additional benefits for this are: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - It puts in place any printer default setup changes automatically at every user logon. - </p></li><li class="listitem"><p> - It allows for <span class="quote">“<span class="quote">roaming</span>”</span> users' login to the domain from different workstations. - </p></li></ul></div><p> -Since network printers are installed per user, this much simplifies the process of keeping the installation -up to date. The few extra seconds at logon time will not really be noticeable. Printers can be centrally -added, changed, and deleted at will on the server with no user intervention required from the clients -(you just need to keep the logon scripts up to date). -</p></div><div class="sect1" title="The addprinter Command"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398444"></a>The <code class="literal">addprinter</code> Command</h2></div></div></div><p> -The <code class="literal">addprinter</code> command can be configured to be a shell script or program executed by -Samba. It is triggered by running the APW from a client against the Samba print server. The APW asks -the user to fill in several fields (such as printer name, driver to be used, comment, port monitor, -and so on). These parameters are passed on to Samba by the APW. If the addprinter command is designed in a -way that it can create a new printer (through writing correct printcap entries on legacy systems or -by executing the <code class="literal">lpadmin</code> command on more modern systems) and create the associated share, -then the APW will in effect really create a new printer on Samba and the UNIX print subsystem! -</p></div><div class="sect1" title="Migration of Classical Printing to Samba"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398477"></a>Migration of Classical Printing to Samba</h2></div></div></div><p> -The basic NT-style printer driver management has not changed considerably in 3.0 over the 2.2.x releases -(apart from many small improvements). Here migration should be quite easy, especially if you followed -previous advice to stop using deprecated parameters in your setup. For migrations from an existing 2.0.x -setup, or if you continued Windows 9x/Me-style printing in your Samba 2.2 installations, it is more of -an effort. Please read the appropriate release notes and the HOWTO Collection for Samba-2.2.x. You can -follow several paths. Here are possible scenarios for migration: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - You need to study and apply the new Windows NT printer and driver support. Previously used - parameters <em class="parameter"><code>printer driver file</code></em>, <em class="parameter"><code>printer driver</code></em>, - and <em class="parameter"><code>printer driver location</code></em> are no longer supported. - </p></li><li class="listitem"><p> - If you want to take advantage of Windows NT printer driver support, you also need to migrate the - Windows 9x/Me drivers to the new setup. - </p></li><li class="listitem"><p> - An existing <code class="filename">printers.def</code> file (the one specified in the now removed parameter - <em class="parameter"><code>printer driver file</code></em>) will no longer work with Samba-3. In 3.0, smbd attempts - to locate Windows 9x/Me driver files for the printer in <em class="parameter"><code>[print$]</code></em> - and additional settings in the TDB and only there; if it fails, it will <span class="emphasis"><em>not</em></span> - (as 2.2.x used to do) drop down to using a <code class="filename">printers.def</code> (and all associated - parameters). The make_printerdef tool is removed and there is no backward compatibility for this. - </p></li><li class="listitem"><p>You need to install a Windows 9x/Me driver into the - <em class="parameter"><code>[print$]</code></em> share for a printer on your Samba - host. The driver files will be stored in the <span class="quote">“<span class="quote">WIN40/0</span>”</span> subdirectory of - <em class="parameter"><code>[print$]</code></em>, and some other settings and information go - into the printing-related TDBs.</p></li><li class="listitem"><p> - If you want to migrate an existing <code class="filename">printers.def</code> file into the new setup, the only current - solution is to use the Windows NT APW to install the NT drivers and the 9x/Me drivers. This can be scripted - using smbclient and rpcclient. See the Imprints installation client on the <a class="ulink" href="http://imprints.sourceforge.net/" target="_top">Imprints</a> web site for example. See also the discussion of - rpcclient usage in <a class="link" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing</a>. - </p></li></ul></div></div><div class="sect1" title="Publishing Printer Information in Active Directory or LDAP"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398608"></a>Publishing Printer Information in Active Directory or LDAP</h2></div></div></div><p> -This topic has also been addressed in <a class="link" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">Remote and Local Management The -Net Command</a>. If you wish to volunteer your services to help document this further, please contact -<a class="ulink" href="mail://jht@samba.org" target="_top">John H. Terpstra</a>. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id398635"></a>Common Errors</h2></div></div></div><div class="sect2" title="I Give My Root Password but I Do Not Get Access"><div class="titlepage"><div><div><h3 class="title"><a name="id398641"></a>I Give My Root Password but I Do Not Get Access</h3></div></div></div><p> -Do not confuse the root password, which is valid for the UNIX system (and in most cases stored in the -form of a one-way hash in a file named <code class="filename">/etc/shadow</code>), with the password used to -authenticate against Samba. Samba does not know the UNIX password. Root access to Samba resources -requires that a Samba account for root must first be created. This is done with the <code class="literal">smbpasswd</code> -command as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> smbpasswd -a root -New SMB password: secret -Retype new SMB password: secret -</pre><p> -</p></div><div class="sect2" title="My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost"><div class="titlepage"><div><div><h3 class="title"><a name="id398678"></a>My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</h3></div></div></div><p> -Do not use the existing UNIX print system spool directory for the Samba spool directory. It may seem -convenient and a savings of space, but it only leads to problems. The two must be separate. The UNIX/Linux -system print spool directory (e.g., <code class="filename">/var/spool/cups</code>) is typically owned by a -non-privileged user such as <code class="literal">cups</code> or <code class="literal">lp</code>. Additionally. the permissions on -the spool directory are typically restrictive to the owner and/or group. On the other hand, the Samba -spool directory must be world writable, and should have the 't' bit set to ensure that only a temporary -spool file owner can change or delete the file. -</p><p> -Depending on the type of print spooling system in use on the UNIX/Linux host, files that the spool -management application finds and that are not currently part of job queue that it is managing can be deleted. -This may explain the observation that jobs are spooled (by Samba) into this directory and just disappear. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 20. Hosting a Microsoft Distributed File System Tree </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 22. CUPS Printing Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/compiling.html b/docs/htmldocs/Samba3-HOWTO/compiling.html deleted file mode 100644 index 2b7b4f7c66..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/compiling.html +++ /dev/null @@ -1,332 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 42. How to Compile Samba</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="Appendix.html" title="Part VI. Reference Section"><link rel="next" href="Portability.html" title="Chapter 43. Portability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 42. How to Compile Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Appendix.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 42. How to Compile Samba"><div class="titlepage"><div><div><h2 class="title"><a name="compiling"></a>Chapter 42. How to Compile Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> 22 May 2001 </p></div><div><p class="pubdate"> 18 March 2003 </p></div><div><p class="pubdate"> June 2005 </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="compiling.html#id449310">Access Samba Source Code via Subversion</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id449315">Introduction</a></span></dt><dt><span class="sect2"><a href="compiling.html#id449353">Subversion Access to samba.org</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#id449526">Accessing the Samba Sources via rsync and ftp</a></span></dt><dt><span class="sect1"><a href="compiling.html#id449593">Verifying Samba's PGP Signature</a></span></dt><dt><span class="sect1"><a href="compiling.html#id449722">Building the Binaries</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id449946">Compiling Samba with Active Directory Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#startingSamba">Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450196">Starting from inetd.conf</a></span></dt><dt><span class="sect2"><a href="compiling.html#id450403">Alternative: Starting <span class="application">smbd</span> as a Daemon</a></span></dt></dl></dd></dl></div><p> -You can obtain the Samba source file from the -<a class="ulink" href="http://samba.org/" target="_top">Samba Web site</a>. To obtain a development version, -you can download Samba from Subversion or using <code class="literal">rsync</code>. -</p><div class="sect1" title="Access Samba Source Code via Subversion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449310"></a>Access Samba Source Code via Subversion</h2></div></div></div><div class="sect2" title="Introduction"><div class="titlepage"><div><div><h3 class="title"><a name="id449315"></a>Introduction</h3></div></div></div><p> -<a class="indexterm" name="id449323"></a> -Samba is developed in an open environment. Developers use a -Subversion to <span class="quote">“<span class="quote">checkin</span>”</span> (also known as -<span class="quote">“<span class="quote">commit</span>”</span>) new source code. Samba's various Subversion branches can -be accessed via anonymous Subversion using the instructions -detailed in this chapter. -</p><p> -This chapter is a modified version of the instructions found at the -<a class="ulink" href="http://samba.org/samba/subversion.html" target="_top">Samba</a> Web site. -</p></div><div class="sect2" title="Subversion Access to samba.org"><div class="titlepage"><div><div><h3 class="title"><a name="id449353"></a>Subversion Access to samba.org</h3></div></div></div><p> -The machine samba.org runs a publicly accessible Subversion -repository for access to the source code of several packages, -including Samba, rsync, distcc, ccache, and jitterbug. There are two main ways -of accessing the Subversion server on this host. -</p><div class="sect3" title="Access via ViewCVS"><div class="titlepage"><div><div><h4 class="title"><a name="id449365"></a>Access via ViewCVS</h4></div></div></div><p> -<a class="indexterm" name="id449372"></a> -You can access the source code via your favorite WWW browser. This allows you to access -the contents of individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository. -</p><p> -Use the URL -<a class="ulink" href="http://viewcvs.samba.org/" target="_top">http://viewcvs.samba.org/</a>. -</p></div><div class="sect3" title="Access via Subversion"><div class="titlepage"><div><div><h4 class="title"><a name="id449397"></a>Access via Subversion</h4></div></div></div><p> -<a class="indexterm" name="id449405"></a> -You can also access the source code via a normal Subversion client. This gives you much more control over what -you can do with the repository and allows you to check out whole source trees and keep them up to date via -normal Subversion commands. This is the preferred method of access if you are a developer and not just a -casual browser. -</p><p>In order to be able to download the Samba sources off Subversion, you need -a Subversion client. Your distribution might include one, or you can download the -sources from <a class="ulink" href="http://subversion.tigris.org/" target="_top">http://subversion.tigris.org/</a>. -</p><p> -To gain access via anonymous Subversion, use the following steps. -</p><div class="procedure" title="Procedure 42.1. Retrieving Samba using Subversion"><a name="id449432"></a><p class="title"><b>Procedure 42.1. Retrieving Samba using Subversion</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Install a recent copy of Subversion. All you really need is a - copy of the Subversion client binary. - </p></li><li class="step" title="Step 2"><p> - Run the command - </p><pre class="screen"> - <strong class="userinput"><code>svn co svn://svnanon.samba.org/samba/trunk samba</code></strong>. - </pre><p> - </p><p> - This will create a directory called <code class="filename">samba</code> containing the - latest Samba source code (usually the branch that is going to be the next major release). This - currently corresponds to the 3.1 development tree. - </p><p> - Subversion branches other then trunk can be obtained by adding branches/BRANCH_NAME to the URL you check - out. A list of branch names can be found on the <span class="quote">“<span class="quote">Development</span>”</span> page of the Samba Web site. A - common request is to obtain the latest 3.0 release code. This could be done by using the following command: - </p><pre class="screen"> - <strong class="userinput"><code>svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0 samba_3</code></strong>. - </pre><p> - </p></li><li class="step" title="Step 3"><p> - Whenever you want to merge in the latest code changes, use the following command from within the Samba - directory: - </p><pre class="screen"> - <strong class="userinput"><code>svn update</code></strong> - </pre><p> - </p></li></ol></div></div></div></div><div class="sect1" title="Accessing the Samba Sources via rsync and ftp"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449526"></a>Accessing the Samba Sources via rsync and ftp</h2></div></div></div><p> - <a class="indexterm" name="id449534"></a> - <a class="indexterm" name="id449540"></a> - <em class="parameter"><code>pserver.samba.org</code></em> also exports unpacked copies of most parts of the Subversion tree - at the Samba <a class="ulink" href="ftp://pserver.samba.org/pub/unpacked" target="_top">pserver</a> location and also - via anonymous rsync at the Samba <a class="ulink" href="rsync://pserver.samba.org/ftp/unpacked/" target="_top">rsync</a> server location. I recommend using rsync rather - than ftp, because rsync is capable of compressing data streams, but it is also more useful than FTP because - during a partial update it will transfer only the data that is missing plus a small overhead. See <a class="ulink" href="http://rsync.samba.org/" target="_top">the rsync home page</a> for more info on rsync. - </p><p> - The disadvantage of the unpacked trees is that they do not support automatic - merging of local changes as Subversion does. <code class="literal">rsync</code> access is most convenient - for an initial install. - </p></div><div class="sect1" title="Verifying Samba's PGP Signature"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449593"></a>Verifying Samba's PGP Signature</h2></div></div></div><p> -<a class="indexterm" name="id449601"></a> -<a class="indexterm" name="id449608"></a> -It is strongly recommended that you verify the PGP signature for any source file before -installing it. Even if you're not downloading from a mirror site, verifying PGP signatures -should be a standard reflex. Many people today use the GNU GPG tool set in place of PGP. -GPG can substitute for PGP. -</p><p> -With that said, go ahead and download the following files: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>wget http://us1.samba.org/samba/ftp/samba-3.0.20.tar.asc</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>wget http://us1.samba.org/samba/ftp/samba-pubkey.asc</code></strong> -</pre><p> -<a class="indexterm" name="id449652"></a> -The first file is the PGP signature for the Samba source file; the other is the Samba public -PGP key itself. Import the public PGP key with: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>gpg --import samba-pubkey.asc</code></strong> -</pre><p> -and verify the Samba source code integrity with: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>gzip -d samba-3.0.20.tar.gz</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>gpg --verify samba-3.0.20.tar.asc</code></strong> -</pre><p> -</p><p> -If you receive a message like, <span class="quote">“<span class="quote">Good signature from Samba Distribution Verification Key...,</span>”</span> -then all is well. The warnings about trust relationships can be ignored. An -example of what you would not want to see would be: -</p><pre class="screen"> -gpg: BAD signature from <span class="quote">“<span class="quote">Samba Distribution Verification Key</span>”</span> -</pre><p> -</p></div><div class="sect1" title="Building the Binaries"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449722"></a>Building the Binaries</h2></div></div></div><p> - <a class="indexterm" name="id449730"></a> -<a class="indexterm" name="id449737"></a> - After the source tarball has been unpacked, the next step involves - configuration to match Samba to your operating system platform. - If your source directory does not contain the <code class="literal">configure</code> script, - it is necessary to build it before you can continue. Building of - the configure script requires the correct version of the autoconf - tool kit. Where the necessary version of autoconf is present, - the configure script can be generated by executing the following - (please note that in Samba 3.4.x, the directory is called source3 instead - of source): -</p><pre class="screen"> -<code class="prompt">root# </code> cd samba-3.0.20/source -<code class="prompt">root# </code> ./autogen.sh -</pre><p> - </p><p> - <a class="indexterm" name="id449775"></a> - To build the binaries, run the program <strong class="userinput"><code>./configure - </code></strong> in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs, then you may wish to first run: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>./configure --help</code></strong> -</pre><p> -</p><p> - This will help you to see what special options can be enabled. Now execute - <strong class="userinput"><code>./configure</code></strong> with any arguments it might need: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>./configure <em class="replaceable"><code>[... arguments ...]</code></em></code></strong> -</pre><p> - </p><p> - <a class="indexterm" name="id449837"></a> - Execute the following create the binaries: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>make</code></strong> -</pre><p> - Once it is successfully compiled, you can execute the command shown here to - install the binaries and manual pages: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>make install</code></strong> -</pre><p> - </p><p> - Some people prefer to install binary files and man pages separately. If this is - your wish, the binary files can be installed by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>make installbin</code></strong> -</pre><p> - The man pages can be installed using this command: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>make installman</code></strong> -</pre><p> - </p><p> - Note that if you are upgrading from a previous version of Samba the old - versions of the binaries will be renamed with an <span class="quote">“<span class="quote">.old</span>”</span> extension. - You can go back to the previous version by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>make revert</code></strong> -</pre><p> - As you can see from this, building and installing Samba does not need to - result in disaster! - </p><div class="sect2" title="Compiling Samba with Active Directory Support"><div class="titlepage"><div><div><h3 class="title"><a name="id449946"></a>Compiling Samba with Active Directory Support</h3></div></div></div><p> - In order to compile Samba with ADS support, you need to have installed - on your system: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - The MIT or Heimdal Kerberos development libraries - (either install from the sources or use a package). - </p></li><li class="listitem"><p> - The OpenLDAP development libraries. - </p></li></ul></div><p> - If your Kerberos libraries are in a nonstandard location, then - remember to add the configure option - <code class="option">--with-krb5=<em class="replaceable"><code>DIR</code></em></code>. - </p><p> - After you run configure, make sure that the - <code class="filename">include/config.h</code> it generates contain lines like this: -</p><pre class="programlisting"> -#define HAVE_KRB5 1 -#define HAVE_LDAP 1 -</pre><p> - </p><p> - If it does not, configure did not find your KRB5 libraries or - your LDAP libraries. Look in <code class="filename">config.log</code> to figure - out why and fix it. - </p><div class="sect3" title="Installing the Required Packages for Debian"><div class="titlepage"><div><div><h4 class="title"><a name="id450006"></a>Installing the Required Packages for Debian</h4></div></div></div><p>On Debian, you need to install the following packages:</p><p> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>libkrb5-dev</p></li><li class="listitem"><p>krb5-user</p></li></ul></div><p> - </p></div><div class="sect3" title="Installing the Required Packages for Red Hat Linux"><div class="titlepage"><div><div><h4 class="title"><a name="id450032"></a>Installing the Required Packages for Red Hat Linux</h4></div></div></div><p>On Red Hat Linux, this means you should have at least: </p><p> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>krb5-workstation (for kinit)</p></li><li class="listitem"><p>krb5-libs (for linking with)</p></li><li class="listitem"><p>krb5-devel (because you are compiling from source)</p></li></ul></div><p> - </p><p>in addition to the standard development environment.</p><p>If these files are not installed on your system, you should check the installation - CDs to find which has them and install the files using your tool of choice. If in doubt - about what tool to use, refer to the Red Hat Linux documentation.</p></div><div class="sect3" title="SuSE Linux Package Requirements"><div class="titlepage"><div><div><h4 class="title"><a name="id450072"></a>SuSE Linux Package Requirements</h4></div></div></div><p> - SuSE Linux installs Heimdal packages that may be required to allow you to build - binary packages. You should verify that the development libraries have been installed on - your system. - </p><p> - SuSE Linux Samba RPMs support Kerberos. Please refer to the documentation for - your SuSE Linux system for information regarding SuSE Linux specific configuration. - Additionally, SuSE is very active in the maintenance of Samba packages that provide - the maximum capabilities that are available. You should consider using SuSE-provided - packages where they are available. - </p></div></div></div><div class="sect1" title="Starting the smbd nmbd and winbindd"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="startingSamba"></a>Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></h2></div></div></div><p> - <a class="indexterm" name="id450121"></a> - You must choose to start <span class="application">smbd</span>, <span class="application">winbindd</span> and <span class="application">nmbd</span> either as daemons or from - <span class="application">inetd</span>. Don't try to do both! Either you can put - them in <code class="filename"> inetd.conf</code> and have them started on demand by - <span class="application">inetd</span> or <span class="application">xinetd</span>, or you - can start them as daemons either from the command-line or in - <code class="filename">/etc/rc.local</code>. See the man pages for details on the - command line options. Take particular care to read the bit about what user - you need to have to start Samba. In many cases, you must be root. - </p><p> - The main advantage of starting <span class="application">smbd</span> and <span class="application">nmbd</span> using the recommended daemon method - is that they will respond slightly more quickly to an initial connection request. - </p><div class="sect2" title="Starting from inetd.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id450196"></a>Starting from inetd.conf</h3></div></div></div><a class="indexterm" name="id450201"></a><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The following will be different if - you use NIS, NIS+, or LDAP to distribute services maps.</p></div><p>Look at your <code class="filename">/etc/services</code>. - What is defined at port 139/tcp? If nothing is defined, - then add a line like this:</p><pre class="programlisting">netbios-ssn 139/tcp</pre><p>Similarly for 137/udp, you should have an entry like:</p><pre class="programlisting">netbios-ns 137/udp</pre><p> - Next, edit your <code class="filename">/etc/inetd.conf</code> and add two lines like this: -</p><pre class="programlisting"> -netbios-ssn stream tcp nowait root /usr/local/samba/sbin/smbd smbd -netbios-ns dgram udp wait root /usr/local/samba/sbin/nmbd nmbd -</pre><p> - </p><a class="indexterm" name="id450259"></a><p> - The exact syntax of <code class="filename">/etc/inetd.conf</code> - varies between UNIXes. Look at the other entries in inetd.conf - for a guide. - </p><p> - <a class="indexterm" name="id450278"></a> - Some distributions use xinetd instead of inetd. Consult the - xinetd manual for configuration information. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Some UNIXes already have entries like netbios_ns - (note the underscore) in <code class="filename">/etc/services</code>. - You must edit <code class="filename">/etc/services</code> or - <code class="filename">/etc/inetd.conf</code> to make them consistent. - </p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id450313"></a> - On many systems you may need to use the - <a class="link" href="smb.conf.5.html#INTERFACES" target="_top">interfaces</a> option in <code class="filename">smb.conf</code> to specify - the IP address and netmask of your interfaces. Run - <span class="application">ifconfig</span> as root if you do - not know what the broadcast is for your net. <span class="application">nmbd</span> tries - to determine it at runtime, but fails on some UNIXes. - </p></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - Many UNIXes only accept around five parameters on the command - line in <code class="filename">inetd.conf</code>. This means you shouldn't - use spaces between the options and arguments, or you should use - a script and start the script from <code class="literal">inetd</code>. - </p></div><p> - Restart <span class="application">inetd</span>, perhaps just send it a HUP, - like this: -<a class="indexterm" name="id450378"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>killall -HUP inetd</code></strong> -</pre><p> - </p></div><div class="sect2" title="Alternative: Starting smbd as a Daemon"><div class="titlepage"><div><div><h3 class="title"><a name="id450403"></a>Alternative: Starting <span class="application">smbd</span> as a Daemon</h3></div></div></div><p> - <a class="indexterm" name="id450416"></a> -<a class="indexterm" name="id450423"></a> - To start the server as a daemon, you should create a script something - like this one, perhaps calling it <code class="filename">startsmb</code>. - </p><pre class="programlisting"> -#!/bin/sh -/usr/local/samba/sbin/smbd -D -/usr/local/samba/sbin/winbindd -D -/usr/local/samba/sbin/nmbd -D -</pre><p> - Make it executable with <code class="literal">chmod +x startsmb</code>. - </p><p> - You can then run <code class="literal">startsmb</code> by hand or execute - it from <code class="filename">/etc/rc.local</code>. - </p><p> - To kill it, send a kill signal to the processes <span class="application">nmbd</span> and <span class="application">smbd</span>. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - If you use the SVR4-style init system, you may like to look at the - <code class="filename">examples/svr4-startup</code> script to make Samba fit - into that system. - </p></div><div class="sect3" title="Starting Samba for Red Hat Linux"><div class="titlepage"><div><div><h4 class="title"><a name="id450497"></a>Starting Samba for Red Hat Linux</h4></div></div></div><p> - Red Hat Linux has not always included all Samba components in the standard installation. - So versions of Red Hat Linux do not install the winbind utility, even though it is present - on the installation CDROM media. Check to see if the <code class="literal">winbindd</code> is present - on the system: -</p><pre class="screen"> -<code class="prompt">root# </code> ls /usr/sbin/winbindd -/usr/sbin/winbindd -</pre><p> - This means that the appropriate RPM package was installed. The following response means - that it is not installed: -</p><pre class="screen"> -/bin/ls: /usr/sbin/winbind: No such file or directory -</pre><p> - In this case, it should be installed if you intend to use <code class="literal">winbindd</code>. Search - the CDROM installation media for the samba-winbind RPM and install it following Red Hat - guidelines. - </p><p> - The process for starting Samba will now be outlined. Be sure to configure Samba's <code class="filename">smb.conf</code> - file before starting Samba. When configured, start Samba by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> service smb start -<code class="prompt">root# </code> service winbind start -</pre><p> - These steps will start <span class="application">nmbd</span>, <span class="application">smbd</span> and <span class="application">winbindd</span>. - </p><p> - To ensure that these services will be automatically restarted when the system is rebooted - execute: -</p><pre class="screen"> -<code class="prompt">root# </code> chkconfig smb on -<code class="prompt">root# </code> chkconfig winbind on -</pre><p> - Samba will be started automatically at every system reboot. - </p></div><div class="sect3" title="Starting Samba for Novell SUSE Linux"><div class="titlepage"><div><div><h4 class="title"><a name="id450610"></a>Starting Samba for Novell SUSE Linux</h4></div></div></div><p> - Novell SUSE Linux products automatically install all essential Samba components in a default installation. - Configure your <code class="filename">smb.conf</code> file, then execute the following to start Samba: -</p><pre class="screen"> -<code class="prompt">root# </code> rcnmb start -<code class="prompt">root# </code> rcsmb start -<code class="prompt">root# </code> rcwinbind start -</pre><p> - Now execute these commands so that Samba will be started automatically following a system - reboot: -</p><pre class="screen"> -<code class="prompt">root# </code> chkconfig nmb on -<code class="prompt">root# </code> chkconfig smb on -<code class="prompt">root# </code> chkconfig winbind on -</pre><p> - The Samba services will now be started automatically following a system reboot. - </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Appendix.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part VI. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 43. Portability</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/diagnosis.html b/docs/htmldocs/Samba3-HOWTO/diagnosis.html deleted file mode 100644 index 324867fe03..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/diagnosis.html +++ /dev/null @@ -1,352 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. The Samba Checklist</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="prev" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="next" href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. The Samba Checklist</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 38. The Samba Checklist"><div class="titlepage"><div><div><h2 class="title"><a name="diagnosis"></a>Chapter 38. The Samba Checklist</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">Wed Jan 15</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="diagnosis.html#id444817">Introduction</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id444853">Assumptions</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id445131">The Tests</a></span></dt></dl></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id444817"></a>Introduction</h2></div></div></div><p> -<a class="indexterm" name="id444825"></a> -This file contains a list of tests you can perform to validate your -Samba server. It also tells you what the likely cause of the problem -is if it fails any one of these steps. If it passes all these tests, -then it is probably working fine. -</p><p> -You should do all the tests in the order shown. We have tried to -carefully choose them so later tests only use capabilities verified in -the earlier tests. However, do not stop at the first error: there -have been some instances when continuing with the tests has helped -to solve a problem. -</p><p> -If you send one of the Samba mailing lists an email saying, <span class="quote">“<span class="quote">It does not work,</span>”</span> -and you have not followed this test procedure, you should not be surprised -if your email is ignored. -</p></div><div class="sect1" title="Assumptions"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id444853"></a>Assumptions</h2></div></div></div><p> -In all of the tests, it is assumed you have a Samba server called -BIGSERVER and a PC called ACLIENT, both in workgroup TESTGROUP. -</p><p> -The procedure is similar for other types of clients. -</p><p> -It is also assumed you know the name of an available share in your -<code class="filename">smb.conf</code>. I for our examples this share is called <em class="parameter"><code>tmp</code></em>. -You can add a <em class="parameter"><code>tmp</code></em> share like this by adding the -lines shown in <a class="link" href="diagnosis.html#tmpshare" title="Example 38.1. smb.conf with [tmp] Share">the next example</a>. -</p><div class="example"><a name="tmpshare"></a><p class="title"><b>Example 38.1. smb.conf with [tmp] Share</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[tmp]</code></em></td></tr><tr><td><a class="indexterm" name="id444920"></a><em class="parameter"><code>comment = temporary files </code></em></td></tr><tr><td><a class="indexterm" name="id444932"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td><a class="indexterm" name="id444943"></a><em class="parameter"><code>read only = yes</code></em></td></tr></table></div></div><br class="example-break"><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -These tests assume version 3.0.0 or later of the Samba suite. -Some commands shown did not exist in earlier versions. -</p></div><p> -<a class="indexterm" name="id444963"></a> -<a class="indexterm" name="id444970"></a> -<a class="indexterm" name="id444977"></a> -Please pay attention to the error messages you receive. If any error message -reports that your server is being unfriendly, you should first check that your -IP name resolution is correctly set up. Make sure your <code class="filename">/etc/resolv.conf</code> -file points to name servers that really do exist. -</p><p> -<a class="indexterm" name="id444995"></a> -<a class="indexterm" name="id445002"></a> -<a class="indexterm" name="id445008"></a> -<a class="indexterm" name="id445015"></a> -Also, if you do not have DNS server access for name resolution, please check -that the settings for your <code class="filename">smb.conf</code> file results in <em class="parameter"><code>dns proxy = no</code></em>. The -best way to check this is with <code class="literal">testparm smb.conf</code>. -</p><p> -<a class="indexterm" name="id445044"></a> -<a class="indexterm" name="id445051"></a> -<a class="indexterm" name="id445058"></a> -<a class="indexterm" name="id445065"></a> -<a class="indexterm" name="id445071"></a> -It is helpful to monitor the log files during testing by using the -<code class="literal">tail -F log_file_name</code> in a separate -terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). -Relevant log files can be found (for default installations) in -<code class="filename">/usr/local/samba/var</code>. Also, connection logs from -machines can be found here or possibly in <code class="filename">/var/log/samba</code>, -depending on how or if you specified logging in your <code class="filename">smb.conf</code> file. -</p><p> -If you make changes to your <code class="filename">smb.conf</code> file while going through these test, -remember to restart <span class="application">smbd</span> and <span class="application">nmbd</span>. -</p></div><div class="sect1" title="The Tests"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id445131"></a>The Tests</h2></div></div></div><div class="procedure" title="Procedure 38.1. Diagnosing Your Samba Server"><a name="id445137"></a><p class="title"><b>Procedure 38.1. Diagnosing Your Samba Server</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> -<a class="indexterm" name="id445149"></a> -In the directory in which you store your <code class="filename">smb.conf</code> file, run the command -<code class="literal">testparm smb.conf</code>. If it reports any errors, then your <code class="filename">smb.conf</code> -configuration file is faulty. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id445179"></a> -<a class="indexterm" name="id445186"></a> -Your <code class="filename">smb.conf</code> file may be located in <code class="filename">/etc/samba</code> -or in <code class="filename">/usr/local/samba/lib</code>. -</p></div></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id445219"></a> -Run the command <code class="literal">ping BIGSERVER</code> from the PC and -<code class="literal">ping ACLIENT</code> from the UNIX box. If you do not get a valid response, -then your TCP/IP software is not correctly installed. -</p><p> -You will need to start a <span class="quote">“<span class="quote">DOS prompt</span>”</span> window on the PC to run ping. -</p><p> -<a class="indexterm" name="id445250"></a> -<a class="indexterm" name="id445256"></a> -<a class="indexterm" name="id445263"></a> -If you get a message saying <span class="quote">“<span class="quote"><span class="errorname">host not found</span></span>”</span> or a similar message, then -your DNS software or <code class="filename">/etc/hosts</code> file is not correctly set up. If using DNS, check that -the <code class="filename">/etc/resolv.conf</code> has correct, current, entries in it. It is possible to run -Samba without DNS entries for the server and client, but it is assumed you do have correct entries for the -remainder of these tests. -</p><p> -<a class="indexterm" name="id445292"></a> -<a class="indexterm" name="id445299"></a> -<a class="indexterm" name="id445306"></a> -Another reason why ping might fail is if your host is running firewall -software. You will need to relax the rules to let in the workstation -in question, perhaps by allowing access from another subnet (on Linux -this is done via the appropriate firewall maintenance commands <code class="literal">ipchains</code> -or <code class="literal">iptables</code>). -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Modern Linux distributions install ipchains/iptables by default. -This is a common problem that is often overlooked. -</p></div><p> -<a class="indexterm" name="id445338"></a> -<a class="indexterm" name="id445344"></a> -If you wish to check what firewall rules may be present in a system under test, simply run -<code class="literal">iptables -L -v</code>, or if <em class="parameter"><code>ipchains</code></em>-based firewall rules are in use, -<code class="literal">ipchains -L -v</code>. -</p><p> -Here is a sample listing from a system that has an external Ethernet interface (eth1) on which Samba -is not active and an internal (private network) interface (eth0) on which Samba is active: -</p><pre class="screen"> -frodo:~ # iptables -L -v -Chain INPUT (policy DROP 98496 packets, 12M bytes) - pkts bytes target prot opt in out source destination - 187K 109M ACCEPT all -- lo any anywhere anywhere - 892K 125M ACCEPT all -- eth0 any anywhere anywhere -1399K 1380M ACCEPT all -- eth1 any anywhere anywhere \ - state RELATED,ESTABLISHED - -Chain FORWARD (policy DROP 0 packets, 0 bytes) - pkts bytes target prot opt in out source destination - 978K 1177M ACCEPT all -- eth1 eth0 anywhere anywhere \ - state RELATED,ESTABLISHED - 658K 40M ACCEPT all -- eth0 eth1 anywhere anywhere - 0 0 LOG all -- any any anywhere anywhere \ - LOG level warning - -Chain OUTPUT (policy ACCEPT 2875K packets, 1508M bytes) - pkts bytes target prot opt in out source destination - -Chain reject_func (0 references) - pkts bytes target prot opt in out source destination -</pre><p> -</p></li><li class="step" title="Step 3"><p> -Run the command <code class="literal">smbclient -L BIGSERVER</code> -on the UNIX box. You should get back a list of available shares. -</p><p> -<a class="indexterm" name="id445416"></a> -<a class="indexterm" name="id445422"></a> -<a class="indexterm" name="id445429"></a> -<a class="indexterm" name="id445436"></a> -<a class="indexterm" name="id445443"></a> -<a class="indexterm" name="id445450"></a> -If you get an error message containing the string <span class="quote">“<span class="quote">bad password</span>”</span>, then -you probably have either an incorrect <em class="parameter"><code>hosts allow</code></em>, -<em class="parameter"><code>hosts deny</code></em>, or <em class="parameter"><code>valid users</code></em> line in your -<code class="filename">smb.conf</code>, or your guest account is not valid. Check what your guest account is using <span class="application">testparm</span> and -temporarily remove any <em class="parameter"><code>hosts allow</code></em>, <em class="parameter"><code>hosts deny</code></em>, -<em class="parameter"><code>valid users</code></em>, or <em class="parameter"><code>invalid users</code></em> lines. -</p><p> -<a class="indexterm" name="id445518"></a> -If you get a message <code class="literal">connection refused</code> response, then the <code class="literal">smbd</code> server may -not be running. If you installed it in <code class="filename">inetd.conf</code>, then you probably edited -that file incorrectly. If you installed it as a daemon, then check that -it is running and check that the netbios-ssn port is in a LISTEN -state using <code class="literal">netstat -a</code>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id445555"></a> -<a class="indexterm" name="id445561"></a> -Some UNIX/Linux systems use <code class="literal">xinetd</code> in place of -<code class="literal">inetd</code>. Check your system documentation for the location -of the control files for your particular system implementation of -the network super daemon. -</p></div><p> -If you get a message saying <code class="literal">session request failed,</code> the server refused the -connection. If it says <span class="quote">“<span class="quote">Your server software is being unfriendly,</span>”</span> then -it's probably because you have invalid command line parameters to <span class="application">smbd</span>, -or a similar fatal problem with the initial startup of <span class="application">smbd</span>. Also -check your config file (<code class="filename">smb.conf</code>) for syntax errors with <span class="application">testparm</span> -and that the various directories where Samba keeps its log and lock -files exist. -</p><p> -There are a number of reasons for which smbd may refuse or decline -a session request. The most common of these involve one or more of -the <code class="filename">smb.conf</code> file entries as shown in <a class="link" href="diagnosis.html#modif1" title="Example 38.2. Configuration for Allowing Connections Only from a Certain Subnet">the next example</a>. -</p><div class="example"><a name="modif1"></a><p class="title"><b>Example 38.2. Configuration for Allowing Connections Only from a Certain Subnet</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[globals]</code></em></td></tr><tr><td><a class="indexterm" name="id445667"></a><em class="parameter"><code>hosts deny = ALL</code></em></td></tr><tr><td><a class="indexterm" name="id445679"></a><em class="parameter"><code>hosts allow = xxx.xxx.xxx.xxx/yy</code></em></td></tr><tr><td><a class="indexterm" name="id445690"></a><em class="parameter"><code>interfaces = eth0</code></em></td></tr><tr><td><a class="indexterm" name="id445702"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id445716"></a> -In <a class="link" href="diagnosis.html#modif1" title="Example 38.2. Configuration for Allowing Connections Only from a Certain Subnet">Configuration for Allowing Connections Only from a Certain Subnet</a>, no -allowance has been made for any session requests that will automatically translate to the loopback adapter -address 127.0.0.1. To solve this problem, change these lines as shown in <a class="link" href="diagnosis.html#modif2" title="Example 38.3. Configuration for Allowing Connections from a Certain Subnet and localhost">the following -example</a>. -</p><div class="example"><a name="modif2"></a><p class="title"><b>Example 38.3. Configuration for Allowing Connections from a Certain Subnet and localhost</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[globals]</code></em></td></tr><tr><td><a class="indexterm" name="id445766"></a><em class="parameter"><code>hosts deny = ALL</code></em></td></tr><tr><td><a class="indexterm" name="id445777"></a><em class="parameter"><code>hosts allow = xxx.xxx.xxx.xxx/yy 127.</code></em></td></tr><tr><td><a class="indexterm" name="id445789"></a><em class="parameter"><code>interfaces = eth0 lo</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id445803"></a> -<a class="indexterm" name="id445810"></a> -Another common cause of these two errors is having something already running on port <code class="constant">139</code>, -such as Samba (<span class="application">smbd</span> is running from <span class="application">inetd</span> already) or Digital's Pathworks. Check -your <code class="filename">inetd.conf</code> file before trying to start <span class="application">smbd</span> as a daemon it can avoid a -lot of frustration! -</p><p> -<a class="indexterm" name="id445853"></a> -<a class="indexterm" name="id445859"></a> -<a class="indexterm" name="id445866"></a> -<a class="indexterm" name="id445872"></a> -<a class="indexterm" name="id445879"></a> -And yet another possible cause for failure of this test is when the subnet mask and/or broadcast address -settings are incorrect. Please check that the network interface IP address/broadcast address/subnet mask -settings are correct and that Samba has correctly noted these in the <code class="filename">log.nmbd</code> file. -</p></li><li class="step" title="Step 4"><p> -<a class="indexterm" name="id445903"></a> -Run the command <code class="literal">nmblookup -B BIGSERVER __SAMBA__</code>. -You should get back the IP address of your Samba server. -</p><p> -<a class="indexterm" name="id445920"></a> -<a class="indexterm" name="id445927"></a> -<a class="indexterm" name="id445934"></a> -If you do not, then <span class="application">nmbd</span> is incorrectly installed. Check your <code class="filename">inetd.conf</code> -if you run it from there, or that the daemon is running and listening to UDP port 137. -</p><p> -One common problem is that many inetd implementations can't take many -parameters on the command line. If this is the case, then create a -one-line script that contains the right parameters and run that from -inetd. -</p></li><li class="step" title="Step 5"><p> -<a class="indexterm" name="id445967"></a> -Run the command <code class="literal">nmblookup -B ACLIENT `*'</code>. -</p><p> -You should get the PC's IP address back. If you do not, then the client -software on the PC isn't installed correctly, or isn't started, or you -got the name of the PC wrong. -</p><p> -If ACLIENT does not resolve via DNS, then use the IP address of the -client in the above test. -</p></li><li class="step" title="Step 6"><p> -Run the command <code class="literal">nmblookup -d 2 `*'</code>. -</p><p> -This time we are trying the same as the previous test but are trying -it via a broadcast to the default broadcast address. A number of -NetBIOS/TCP/IP hosts on the network should respond, although Samba may -not catch all of the responses in the short time it listens. You -should see the <code class="literal">got a positive name query response</code> -messages from several hosts. -</p><p> -<a class="indexterm" name="id446019"></a> -If this does not give a result similar to the previous test, then nmblookup isn't correctly getting your -broadcast address through its automatic mechanism. In this case you should experiment with the <a class="link" href="smb.conf.5.html#INTERFACES" target="_top">interfaces</a> option in <code class="filename">smb.conf</code> to manually configure your IP address, broadcast, and netmask. -</p><p> -If your PC and server aren't on the same subnet, then you will need to use the -<code class="option">-B</code> option to set the broadcast address to that of the PC's subnet. -</p><p> -This test will probably fail if your subnet mask and broadcast address are -not correct. (Refer to test 3 notes above). -</p></li><li class="step" title="Step 7"><p> -<a class="indexterm" name="id446066"></a> -Run the command <code class="literal">smbclient //BIGSERVER/TMP</code>. You should -then be prompted for a password. You should use the password of the account -with which you are logged into the UNIX box. If you want to test with -another account, then add the <code class="option">-U accountname</code> option to the end of -the command line for example, <code class="literal">smbclient //bigserver/tmp -Ujohndoe</code>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -It is possible to specify the password along with the username as follows: -<code class="literal">smbclient //bigserver/tmp -Ujohndoe%secret</code>. -</p></div><p> -Once you enter the password, you should get the <code class="prompt">smb></code> prompt. If you -do not, then look at the error message. If it says <span class="quote">“<span class="quote"><span class="errorname">invalid network -name,</span></span>”</span> then the service <em class="parameter"><code>tmp</code></em> is not correctly set up in your <code class="filename">smb.conf</code>. -</p><p> -If it says <span class="quote">“<span class="quote"><span class="errorname">bad password,</span></span>”</span> then the likely causes are: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - You have shadow passwords (or some other password system) but didn't - compile in support for them in <span class="application">smbd</span>. - </p></li><li class="listitem"><p> - Your <a class="link" href="smb.conf.5.html#VALIDUSERS" target="_top">valid users</a> configuration is incorrect. - </p></li><li class="listitem"><p> - You have a mixed-case password and you haven't enabled the <a class="link" href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> option at a high enough level. - </p></li><li class="listitem"><p> - The <a class="link" href="smb.conf.5.html#PATH" target="_top">path</a> line in <code class="filename">smb.conf</code> is incorrect. Check it with <span class="application">testparm</span>. - </p></li><li class="listitem"><p> - You enabled password encryption but didn't map UNIX to Samba users. Run - <code class="literal">smbpasswd -a username</code> - </p></li></ol></div><p> -<a class="indexterm" name="id446240"></a> -<a class="indexterm" name="id446246"></a> -<a class="indexterm" name="id446253"></a> -<a class="indexterm" name="id446260"></a> -Once connected, you should be able to use the commands <code class="literal">dir</code>, <code class="literal">get</code>, -<code class="literal">put</code>, and so on. Type <code class="literal">help command</code> for instructions. You should -especially check that the amount of free disk space shown is correct when you type <code class="literal">dir</code>. -</p></li><li class="step" title="Step 8"><p> -<a class="indexterm" name="id446305"></a> -On the PC, type the command <code class="literal">net view \\BIGSERVER</code>. You will -need to do this from within a DOS prompt window. You should get back a -list of shares available on the server. -</p><p> -<a class="indexterm" name="id446322"></a> -If you get a message <code class="literal">network name not found</code> or similar error, then NetBIOS -name resolution is not working. This is usually caused by a problem in <code class="literal">nmbd</code>. -To overcome it, you could do one of the following (you only need to choose one of them): -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - Fix the <span class="application">nmbd</span> installation. -</p></li><li class="listitem"><p> - Add the IP address of BIGSERVER to the <code class="literal">wins server</code> box in the - advanced TCP/IP setup on the PC. -</p></li><li class="listitem"><p> - Enable Windows name resolution via DNS in the advanced section of the TCP/IP setup. -</p></li><li class="listitem"><p> - Add BIGSERVER to your lmhosts file on the PC. -</p></li></ol></div><p> -If you get a message <span class="quote">“<span class="quote"><span class="errorname">invalid network name</span></span>”</span> or -<span class="quote">“<span class="quote"><span class="errorname">bad password error,</span></span>”</span> then apply the -same fixes as for the <code class="literal">smbclient -L</code> test. In -particular, make sure your <code class="literal">hosts allow</code> line is correct (see the man pages). -</p><p> -Also, do not overlook that fact that when the workstation requests the -connection to the Samba server, it will attempt to connect using the -name with which you logged onto your Windows machine. You need to make -sure that an account exists on your Samba server with that exact same -name and password. -</p><p> -If you get a message <span class="quote">“<span class="quote"><span class="errorname">specified computer is not receiving requests</span></span>”</span> or similar error, -it probably means that the host is not contactable via TCP services. -Check to see if the host is running TCP wrappers, and if so, add an entry in -the <code class="filename">hosts.allow</code> file for your client (or subnet, and so on.) -</p></li><li class="step" title="Step 9"><p> -Run the command <code class="literal">net use x: \\BIGSERVER\TMP</code>. You should -be prompted for a password, then you should get a <code class="computeroutput">command completed -successfully</code> message. If not, then your PC software is incorrectly -installed or your <code class="filename">smb.conf</code> is incorrect. Make sure your <em class="parameter"><code>hosts allow</code></em> -and other config lines in <code class="filename">smb.conf</code> are correct. -</p><p> -It's also possible that the server can't work out what username to connect you as. -To see if this is the problem, add the line -<a class="link" href="smb.conf.5.html#USER" target="_top">user = username</a> to the -<em class="parameter"><code>[tmp]</code></em> section of -<code class="filename">smb.conf</code> where <em class="parameter"><code>username</code></em> is the -username corresponding to the password you typed. If you find this -fixes things, you may need the username mapping option. -</p><p> -It might also be the case that your client only sends encrypted passwords -and you have <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords = no</a> in <code class="filename">smb.conf</code>. -Change this setting to `yes' to fix this. -</p></li><li class="step" title="Step 10"><p> -Run the command <code class="literal">nmblookup -M <em class="parameter"><code>testgroup</code></em></code> where -<em class="parameter"><code>testgroup</code></em> is the name of the workgroup that your Samba server and -Windows PCs belong to. You should get back the IP address of the -master browser for that workgroup. -</p><p> -If you do not, then the election process has failed. Wait a minute to -see if it is just being slow, then try again. If it still fails after -that, then look at the browsing options you have set in <code class="filename">smb.conf</code>. Make -sure you have <a class="link" href="smb.conf.5.html#PREFERREDMASTER" target="_top">preferred master = yes</a> to ensure that -an election is held at startup. -</p></li><li class="step" title="Step 11"><p> -From file manager, try to browse the server. Your Samba server should -appear in the browse list of your local workgroup (or the one you -specified in <code class="filename">smb.conf</code>). You should be able to double-click on the name -of the server and get a list of shares. If you get the error message <span class="quote">“<span class="quote">invalid password,</span>”</span> - you are probably running Windows NT and it -is refusing to browse a server that has no encrypted password -capability and is in user-level security mode. In this case, either set -<a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a> and -<a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server = Windows_NT_Machine</a> in your -<code class="filename">smb.conf</code> file or make sure <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords</a> is -set to <span class="quote">“<span class="quote">yes</span>”</span>. -</p></li></ol></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part V. Troubleshooting </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Analyzing and Solving Samba Problems</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/domain-member.html b/docs/htmldocs/Samba3-HOWTO/domain-member.html deleted file mode 100644 index e62749c64a..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/domain-member.html +++ /dev/null @@ -1,966 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Domain Membership</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 6. Domain Membership"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 6. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="domain-member.html#id339970">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341389">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342539">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id342799">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342981">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344013">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id344280">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344384">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id339923"></a> -<a class="indexterm" name="id339930"></a> -<a class="indexterm" name="id339936"></a> -Domain membership is a subject of vital concern. Samba must be able to -participate as a member server in a Microsoft domain security context, and -Samba must be capable of providing domain machine member trust accounts; -otherwise it would not be able to offer a viable option for many users. -</p><p> -<a class="indexterm" name="id339952"></a> -<a class="indexterm" name="id339958"></a> -This chapter covers background information pertaining to domain membership, -the Samba configuration for it, and MS Windows client procedures for joining a -domain. Why is this necessary? Because both are areas in which there exists -within the current MS Windows networking world, and particularly in the -UNIX/Linux networking and administration world, a considerable level of -misinformation, incorrect understanding, and lack of knowledge. Hopefully -this chapter will fill the voids. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id339970"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id339978"></a> -<a class="indexterm" name="id339985"></a> -<a class="indexterm" name="id339992"></a> -MS Windows workstations and servers that want to participate in domain security need to -be made domain members. Participating in domain security is often called -<span class="emphasis"><em>single sign-on</em></span>, or <acronym class="acronym">SSO</acronym> for short. This -chapter describes the process that must be followed to make a workstation -(or another server be it an <span class="application">MS Windows NT4/200x</span> -server) or a Samba server a member of an MS Windows domain security context. -</p><p> -<a class="indexterm" name="id340020"></a> -<a class="indexterm" name="id340027"></a> -<a class="indexterm" name="id340033"></a> -<a class="indexterm" name="id340040"></a> -Samba-3 can join an MS Windows NT4-style domain as a native member server, an -MS Windows Active Directory domain as a native member server, or a Samba domain -control network. Domain membership has many advantages: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id340058"></a> - MS Windows workstation users get the benefit of SSO. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340069"></a> - <a class="indexterm" name="id340076"></a> - <a class="indexterm" name="id340083"></a> - <a class="indexterm" name="id340090"></a> - Domain user access rights and file ownership/access controls can be set - from the single Domain Security Account Manager (SAM) database - (works with domain member servers as well as with MS Windows workstations - that are domain members). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340103"></a> - <a class="indexterm" name="id340109"></a> - Only <span class="application">MS Windows NT4/200x/XP Professional</span> - workstations that are domain members can use network logon facilities. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340127"></a> - <a class="indexterm" name="id340134"></a> - <a class="indexterm" name="id340141"></a> - <a class="indexterm" name="id340148"></a> - Domain member workstations can be better controlled through the use of - policy files (<code class="filename">NTConfig.POL</code>) and desktop profiles. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340166"></a> - <a class="indexterm" name="id340173"></a> - <a class="indexterm" name="id340180"></a> - Through the use of logon scripts, users can be given transparent access to network - applications that run off application servers. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340192"></a> - <a class="indexterm" name="id340199"></a> - <a class="indexterm" name="id340205"></a> - <a class="indexterm" name="id340212"></a> - Network administrators gain better application and user access management - abilities because there is no need to maintain user accounts on any network - client or server other than the central domain database - (either NT4/Samba SAM-style domain, NT4 domain that is backend-ed with an - LDAP directory, or via an Active Directory infrastructure). - </p></li></ul></div></div><div class="sect1" title="MS Windows Workstation/Server Machine Trust Accounts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="machine-trust-accounts"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div></div><p> -<a class="indexterm" name="id340236"></a> -<a class="indexterm" name="id340243"></a> -<a class="indexterm" name="id340249"></a> -<a class="indexterm" name="id340256"></a> -A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to -the domain controller server. In Windows terminology, this is known as a <span class="quote">“<span class="quote">computer account.</span>”</span> The -purpose of the machine trust account is to prevent a rogue user and domain controller from colluding to gain -access to a domain member workstation. -</p><p> -<a class="indexterm" name="id340273"></a> -<a class="indexterm" name="id340282"></a> -<a class="indexterm" name="id340289"></a> -<a class="indexterm" name="id340296"></a> -<a class="indexterm" name="id340302"></a> -The password of a Machine Trust Account acts as the shared secret for secure communication with the domain -controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from -joining the domain, participating in domain security operations, and gaining access to domain user/group -accounts. Windows NT/200x/XP Professional clients use machine trust accounts, but Windows 9x/Me/XP Home -clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a domain because it does not -possess a Machine Trust Account, and, thus, has no shared secret with the domain controller. -</p><p> -<a class="indexterm" name="id340318"></a> -<a class="indexterm" name="id340325"></a> -<a class="indexterm" name="id340331"></a> -<a class="indexterm" name="id340338"></a> -A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. -The introduction of MS Windows 2000 saw the introduction of Active Directory, -the new repository for Machine Trust Accounts. A Samba PDC, however, stores -each Machine Trust Account in two parts, -as follows: - -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id340352"></a> - <a class="indexterm" name="id340359"></a> - <a class="indexterm" name="id340366"></a> - A domain security account (stored in the <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>) that has been configured in - the <code class="filename">smb.conf</code> file. The precise nature of the account information that is stored depends on the type of - backend database that has been chosen. - </p><p> - <a class="indexterm" name="id340395"></a> - <a class="indexterm" name="id340402"></a> - <a class="indexterm" name="id340408"></a> - <a class="indexterm" name="id340415"></a> - <a class="indexterm" name="id340422"></a> - <a class="indexterm" name="id340429"></a> - The older format of this data is the <code class="filename">smbpasswd</code> database - that contains the UNIX login ID, the UNIX user identifier (UID), and the - LanMan and NT-encrypted passwords. There is also some other information in - this file that we do not need to concern ourselves with here. - </p><p> - <a class="indexterm" name="id340449"></a> - <a class="indexterm" name="id340455"></a> - <a class="indexterm" name="id340462"></a> - <a class="indexterm" name="id340468"></a> - The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older - <code class="filename">smbpasswd</code> file did. The extra information enables new user account controls to be - implemented. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340487"></a> - <a class="indexterm" name="id340494"></a> - A corresponding UNIX account, typically stored in <code class="filename">/etc/passwd</code>. Work is in progress to - allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature - of the early releases of Samba-3, and is not currently planned for release either. - </p></li></ul></div><p> -</p><p> -<a class="indexterm" name="id340518"></a> -There are three ways to create Machine Trust Accounts: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id340533"></a> - Manual creation from the UNIX/Linux command line. Here, both the Samba and - corresponding UNIX account are created by hand. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340546"></a> - <a class="indexterm" name="id340552"></a> - Using the MS Windows NT4 Server Manager, either from an NT4 domain member - server or using the Nexus toolkit available from the Microsoft Web site. - This tool can be run from any MS Windows machine as long as the user is - logged on as the administrator account. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id340566"></a> - <a class="indexterm" name="id340573"></a> - <span class="quote">“<span class="quote">On-the-fly</span>”</span> creation. The Samba Machine Trust Account is automatically - created by Samba at the time the client is joined to the domain. - (For security, this is the recommended method.) The corresponding UNIX - account may be created automatically or manually. - </p></li></ul></div><p> -<a class="indexterm" name="id340589"></a> -<a class="indexterm" name="id340596"></a> -Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine -trust account creation. This is a matter of the administrator's choice. -</p><div class="sect2" title="Manual Creation of Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id340608"></a>Manual Creation of Machine Trust Accounts</h3></div></div></div><p> -<a class="indexterm" name="id340616"></a> -<a class="indexterm" name="id340623"></a> -<a class="indexterm" name="id340628"></a> -<a class="indexterm" name="id340635"></a> -The first step in manually creating a Machine Trust Account is to manually -create the corresponding UNIX account in <code class="filename">/etc/passwd</code>. -This can be done using <code class="literal">vipw</code> or another <span class="quote">“<span class="quote">adduser</span>”</span> command -that is normally used to create new UNIX accounts. The following is an example for -a Linux-based Samba server: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/usr/sbin/useradd -g machines -d /var/lib/nobody \ - -c <em class="replaceable"><code>"machine nickname"</code></em> \ - -s /bin/false <em class="replaceable"><code>machine_name</code></em>$ </code></strong> - -<code class="prompt">root# </code><strong class="userinput"><code>passwd -l <em class="replaceable"><code>machine_name</code></em>$</code></strong> -</pre><p> -</p><p> -<a class="indexterm" name="id340700"></a> -<a class="indexterm" name="id340707"></a> -<a class="indexterm" name="id340714"></a> -In the example above there is an existing system group <span class="quote">“<span class="quote">machines</span>”</span> which is used -as the primary group for all machine accounts. In the following examples the <span class="quote">“<span class="quote">machines</span>”</span> group -numeric GID is 100. -</p><p> -<a class="indexterm" name="id340733"></a> -<a class="indexterm" name="id340740"></a> -On *BSD systems, this can be done using the <code class="literal">chpass</code> utility: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>chpass -a \ -'<em class="replaceable"><code>machine_name</code></em>$:*:101:100::0:0:Windows <em class="replaceable"><code>machine_name</code></em>:/dev/null:/sbin/nologin'</code></strong> -</pre><p> -</p><p> -<a class="indexterm" name="id340779"></a> -<a class="indexterm" name="id340786"></a> -<a class="indexterm" name="id340793"></a> -<a class="indexterm" name="id340800"></a> -The <code class="filename">/etc/passwd</code> entry will list the machine name -with a <span class="quote">“<span class="quote">$</span>”</span> appended, and will not have a password, will have a null shell and no -home directory. For example, a machine named <span class="quote">“<span class="quote">doppy</span>”</span> would have an -<code class="filename">/etc/passwd</code> entry like this: -</p><pre class="programlisting"> -doppy$:x:505:100:<em class="replaceable"><code>machine_nickname</code></em>:/dev/null:/bin/false -</pre><p> -</p><p> -<a class="indexterm" name="id340840"></a> -<a class="indexterm" name="id340846"></a> -<a class="indexterm" name="id340853"></a> -in which <em class="replaceable"><code>machine_nickname</code></em> can be any -descriptive name for the client, such as BasementComputer. -<em class="replaceable"><code>machine_name</code></em> absolutely must be the NetBIOS -name of the client to be joined to the domain. The <span class="quote">“<span class="quote">$</span>”</span> must be -appended to the NetBIOS name of the client or Samba will not recognize -this as a Machine Trust Account. -</p><p> -<a class="indexterm" name="id340876"></a> -<a class="indexterm" name="id340883"></a> -<a class="indexterm" name="id340890"></a> -Now that the corresponding UNIX account has been created, the next step is to create -the Samba account for the client containing the well-known initial -Machine Trust Account password. This can be done using the -<code class="literal">smbpasswd</code> command -as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a -m <em class="replaceable"><code>machine_name</code></em></code></strong> -</pre><p> -</p><p> -<a class="indexterm" name="id340928"></a> -<a class="indexterm" name="id340935"></a> -<a class="indexterm" name="id340942"></a> -<a class="indexterm" name="id340948"></a> -where <em class="replaceable"><code>machine_name</code></em> is the machine's NetBIOS -name. The RID of the new machine account is generated from the UID of -the corresponding UNIX account. -</p><div class="warning" title="Join the client to the domain immediately" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Join the client to the domain immediately</h3><p> -<a class="indexterm" name="id340969"></a> -<a class="indexterm" name="id340976"></a> -<a class="indexterm" name="id340982"></a> -<a class="indexterm" name="id340989"></a> -<a class="indexterm" name="id340996"></a> -Manually creating a Machine Trust Account using this method is the -equivalent of creating a Machine Trust Account on a Windows NT PDC using -<a class="indexterm" name="id341004"></a> -the <span class="application">Server Manager</span>. From the time at which the -account is created to the time the client joins the domain and -changes the password, your domain is vulnerable to an intruder joining -your domain using a machine with the same NetBIOS name. A PDC inherently -trusts members of the domain and will serve out a large degree of user -information to such clients. You have been warned! -</p></div></div><div class="sect2" title="Managing Domain Machine Accounts using NT4 Server Manager"><div class="titlepage"><div><div><h3 class="title"><a name="id341023"></a>Managing Domain Machine Accounts using NT4 Server Manager</h3></div></div></div><p> -<a class="indexterm" name="id341031"></a> -<a class="indexterm" name="id341038"></a> -<a class="indexterm" name="id341045"></a> -A working <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> is essential -for machine trust accounts to be automatically created. This applies no matter whether -you use automatic account creation or the NT4 Domain Server Manager. -</p><p> -<a class="indexterm" name="id341068"></a> -<a class="indexterm" name="id341075"></a> -<a class="indexterm" name="id341082"></a> -<a class="indexterm" name="id341088"></a> -If the machine from which you are trying to manage the domain is an -<span class="application">MS Windows NT4 workstation or MS Windows 200x/XP Professional</span>, -the tool of choice is the package called <code class="literal">SRVTOOLS.EXE</code>. -When executed in the target directory it will unpack <code class="literal">SrvMgr.exe</code> -and <code class="literal">UsrMgr.exe</code> (both are domain management tools for MS Windows NT4 workstation). -</p><p> -<a class="indexterm" name="id341125"></a> -<a class="indexterm" name="id341131"></a> -If your workstation is a <span class="application">Microsoft Windows 9x/Me</span> family product, - you should download the <code class="literal">Nexus.exe</code> package from the Microsoft Web site. -When executed from the target directory, it will unpack the same tools but for use on -this platform. -</p><p> -Further information about these tools may be obtained from Knowledge Base articles -<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673" target="_top">173673</a>, and -<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540" target="_top">172540</a> -</p><p> -<a class="indexterm" name="id341171"></a> -<a class="indexterm" name="id341178"></a> -Launch the <code class="literal">srvmgr.exe</code> (Server Manager for Domains) and follow these steps: -</p><div class="procedure" title="Procedure 6.1. Server Manager Account Machine Account Management"><a name="id341192"></a><p class="title"><b>Procedure 6.1. Server Manager Account Machine Account Management</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - From the menu select <span class="guimenu">Computer</span>. - </p></li><li class="step" title="Step 2"><p> - Click <span class="guimenuitem">Select Domain</span>. - </p></li><li class="step" title="Step 3"><p> - Click the name of the domain you wish to administer in the - <span class="guilabel">Select Domain</span> panel and then click - <span class="guibutton">OK</span>. - </p></li><li class="step" title="Step 4"><p> - Again from the menu select <span class="guimenu">Computer</span>. - </p></li><li class="step" title="Step 5"><p> - Select <span class="guimenuitem">Add to Domain</span>. - </p></li><li class="step" title="Step 6"><p> - In the dialog box, click the radio button to - <span class="guilabel">Add NT Workstation of Server</span>, then - enter the machine name in the field provided, and click the - <span class="guibutton">Add</span> button. - </p></li></ol></div></div><div class="sect2" title="On-the-Fly Creation of Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id341289"></a>On-the-Fly Creation of Machine Trust Accounts</h3></div></div></div><p> -<a class="indexterm" name="id341297"></a> -The third (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to -create them as needed when the client is joined to the domain. -</p><p> -<a class="indexterm" name="id341311"></a> -<a class="indexterm" name="id341321"></a> -<a class="indexterm" name="id341327"></a> -Since each Samba Machine Trust Account requires a corresponding UNIX account, a method -for automatically creating the UNIX account is usually supplied; this requires configuration of the -add machine script option in <code class="filename">smb.conf</code>. This method is not required; however, corresponding UNIX -accounts may also be created manually. -</p><p> -<a class="indexterm" name="id341346"></a> -<a class="indexterm" name="id341353"></a> -Here is an example for a Red Hat Linux system: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id341375"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</code></em></td></tr></table><p> -</p></div><div class="sect2" title="Making an MS Windows Workstation or Server a Domain Member"><div class="titlepage"><div><div><h3 class="title"><a name="id341389"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div></div><p> -The procedure for making an MS Windows workstation or server a member of the domain varies -with the version of Windows. -</p><div class="sect3" title="Windows 200x/XP Professional Client"><div class="titlepage"><div><div><h4 class="title"><a name="id341398"></a>Windows 200x/XP Professional Client</h4></div></div></div><p> -<a class="indexterm" name="id341406"></a> -<a class="indexterm" name="id341413"></a> -<a class="indexterm" name="id341422"></a> -<a class="indexterm" name="id341429"></a> - When the user elects to make the client a domain member, Windows 200x prompts for - an account and password that has privileges to create machine accounts in the domain. - </p><p> - A Samba administrator account (i.e., a Samba account that has <code class="literal">root</code> privileges on the - Samba server) must be entered here; the operation will fail if an ordinary user account is given. - The necessary privilege can be assured by creating a Samba SAM account for <code class="literal">root</code> or - by granting the <code class="literal">SeMachineAccountPrivilege</code> privilege to the user account. - </p><p> -<a class="indexterm" name="id341464"></a> -<a class="indexterm" name="id341471"></a> - For security reasons, the password for this administrator account should be set - to a password that is other than that used for the root user in <code class="filename">/etc/passwd</code>. - </p><p> -<a class="indexterm" name="id341488"></a> -<a class="indexterm" name="id341495"></a> -<a class="indexterm" name="id341501"></a> -<a class="indexterm" name="id341508"></a> - The name of the account that is used to create domain member machine trust accounts can be - anything the network administrator may choose. If it is other than <code class="constant">root</code>, - then this is easily mapped to <code class="constant">root</code> in the file named in the <code class="filename">smb.conf</code> parameter - <a class="link" href="smb.conf.5.html#USERNAMEMAP" target="_top">username map = /etc/samba/smbusers</a>. - </p><p> -<a class="indexterm" name="id341546"></a> -<a class="indexterm" name="id341552"></a> -<a class="indexterm" name="id341559"></a> - The session key of the Samba administrator account acts as an encryption key for setting the password of the machine trust - account. The Machine Trust Account will be created on-the-fly, or updated if it already exists. - </p></div><div class="sect3" title="Windows NT4 Client"><div class="titlepage"><div><div><h4 class="title"><a name="id341570"></a>Windows NT4 Client</h4></div></div></div><p> -<a class="indexterm" name="id341577"></a> -<a class="indexterm" name="id341584"></a> -<a class="indexterm" name="id341590"></a> - If the Machine Trust Account was created manually, on the - Identification Changes menu enter the domain name, but do not - check the box <span class="guilabel">Create a Computer Account in the Domain</span>. - In this case, the existing Machine Trust Account is used to join the machine - to the domain. - </p><p> -<a class="indexterm" name="id341609"></a> -<a class="indexterm" name="id341615"></a> -<a class="indexterm" name="id341622"></a> -<a class="indexterm" name="id341629"></a> - If the Machine Trust Account is to be created on the fly, on the Identification Changes menu enter the domain - name and check the box <span class="guilabel">Create a Computer Account in the Domain</span>. In this case, joining - the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrator account when - prompted). - </p></div><div class="sect3" title="Samba Client"><div class="titlepage"><div><div><h4 class="title"><a name="id341646"></a>Samba Client</h4></div></div></div><p> -<a class="indexterm" name="id341654"></a> - Joining a Samba client to a domain is documented in <a class="link" href="domain-member.html#domain-member-server" title="Domain Member Server">the next section</a>. - </p></div></div></div><div class="sect1" title="Domain Member Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domain-member-server"></a>Domain Member Server</h2></div></div></div><p> -<a class="indexterm" name="id341682"></a> -<a class="indexterm" name="id341689"></a> -<a class="indexterm" name="id341696"></a> -<a class="indexterm" name="id341703"></a> -This mode of server operation involves the Samba machine being made a member -of a domain security context. This means by definition that all user -authentication will be done from a centrally defined authentication regime. -The authentication regime may come from an NT3/4-style (old domain technology) -server, or it may be provided from an Active Directory server (ADS) running on -MS Windows 2000 or later. -</p><p> -<span class="emphasis"><em> -<a class="indexterm" name="id341722"></a> -<a class="indexterm" name="id341731"></a> -<a class="indexterm" name="id341738"></a> -<a class="indexterm" name="id341744"></a> -<a class="indexterm" name="id341751"></a> -<a class="indexterm" name="id341758"></a> -<a class="indexterm" name="id341765"></a> -<a class="indexterm" name="id341771"></a> -Of course it should be clear that the authentication backend itself could be -from any distributed directory architecture server that is supported by Samba. -This can be LDAP (from OpenLDAP), or Sun's iPlanet, or Novell e-Directory -Server, and so on. -</em></span> -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id341786"></a> -<a class="indexterm" name="id341793"></a> -<a class="indexterm" name="id341799"></a> -When Samba is configured to use an LDAP or other identity management and/or -directory service, it is Samba that continues to perform user and machine -authentication. It should be noted that the LDAP server does not perform -authentication handling in place of what Samba is designed to do. -</p></div><p> -<a class="indexterm" name="id341812"></a> -<a class="indexterm" name="id341819"></a> -<a class="indexterm" name="id341826"></a> -Please refer to <a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>, for more information regarding -how to create a domain machine account for a domain member server as well as for -information on how to enable the Samba domain member machine to join the domain -and be fully trusted by it. -</p><div class="sect2" title="Joining an NT4-type Domain with Samba-3"><div class="titlepage"><div><div><h3 class="title"><a name="id341842"></a>Joining an NT4-type Domain with Samba-3</h3></div></div></div><p><a class="link" href="domain-member.html#assumptions" title="Table 6.1. Assumptions">Assumptions</a> lists names that are used in the remainder of this chapter.</p><div class="table"><a name="assumptions"></a><p class="title"><b>Table 6.1. Assumptions</b></p><div class="table-contents"><table summary="Assumptions" border="1"><colgroup><col align="right"><col align="left"></colgroup><tbody><tr><td align="right">Samba DMS NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="right">Windows 200x/NT domain name:</td><td align="left">MIDEARTH</td></tr><tr><td align="right">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="right">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div></div><br class="table-break"><p> -<a class="indexterm" name="id341925"></a> -First, you must edit your <code class="filename">smb.conf</code> file to tell Samba it should now use domain security. -</p><p> -<a class="indexterm" name="id341941"></a> -<a class="indexterm" name="id341947"></a> -<a class="indexterm" name="id341954"></a> -<a class="indexterm" name="id341961"></a> -Change (or add) your <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security</a> line in the [global] section -of your <code class="filename">smb.conf</code> to read: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id341991"></a><em class="parameter"><code>security = domain</code></em></td></tr></table><p> -Note that if the parameter <em class="parameter"><code>security = user</code></em> is used, this machine would function as a -standalone server and not as a domain member server. Domain security mode causes Samba to work within the -domain security context. -</p><p> -Next change the <a class="link" href="smb.conf.5.html#WORKGROUP" target="_top">workgroup</a> line in the <em class="parameter"><code>[global]</code></em> -section to read: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id342036"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr></table><p> -This is the name of the domain we are joining. -</p><p> -<a class="indexterm" name="id342051"></a> -<a class="indexterm" name="id342058"></a> -You must also have the parameter <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords</a> -set to <code class="constant">yes</code> in order for your users to authenticate to the NT PDC. -This is the default setting if this parameter is not specified. There is no need to specify this -parameter, but if it is specified in the <code class="filename">smb.conf</code> file, it must be set to <code class="constant">Yes</code>. -</p><p> -<a class="indexterm" name="id342094"></a> -<a class="indexterm" name="id342101"></a> -<a class="indexterm" name="id342108"></a> -<a class="indexterm" name="id342114"></a> -Finally, add (or modify) a <a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a> line in the [global] -section to read: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id342138"></a><em class="parameter"><code>password server = DOMPDC DOMBDC1 DOMBDC2</code></em></td></tr></table><p> -These are the PDC and BDCs Samba -will attempt to contact in order to authenticate users. Samba will -try to contact each of these servers in order, so you may want to -rearrange this list in order to spread out the authentication load -among Domain Controllers. -</p><p> -<a class="indexterm" name="id342155"></a> -<a class="indexterm" name="id342162"></a> -<a class="indexterm" name="id342169"></a> -<a class="indexterm" name="id342176"></a> -Alternatively, if you want smbd to determine automatically the list of domain controllers to use for -authentication, you may set this line to be: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id342189"></a><em class="parameter"><code>password server = *</code></em></td></tr></table><p> -<a class="indexterm" name="id342201"></a> -This method allows Samba to use exactly the same mechanism that NT does. The -method either uses broadcast-based name resolution, performs a WINS database -lookup in order to find a domain controller against which to authenticate, -or locates the domain controller using DNS name resolution. -</p><p> -To join the domain, run this command: -<a class="indexterm" name="id342214"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -S DOMPDC -U<em class="replaceable"><code>Administrator%password</code></em></code></strong> -</pre><p> -</p><p> -<a class="indexterm" name="id342246"></a> -<a class="indexterm" name="id342253"></a> -<a class="indexterm" name="id342260"></a> -<a class="indexterm" name="id342267"></a> -If the <code class="option">-S DOMPDC</code> argument is not given, the domain name will be obtained from <code class="filename">smb.conf</code> and -the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name -look up. -</p><p> -<a class="indexterm" name="id342288"></a> -<a class="indexterm" name="id342295"></a> -<a class="indexterm" name="id342301"></a> -<a class="indexterm" name="id342308"></a> -The machine is joining the domain DOM, and the PDC for that domain (the only machine -that has write access to the domain SAM database) is DOMPDC; therefore, use the <code class="option">-S</code> -option. The <em class="replaceable"><code>Administrator%password</code></em> is the login name and -password for an account that has the necessary privilege to add machines to the -domain. If this is successful, you will see the following message in your terminal window. -Where the older NT4-style domain architecture is used: -</p><pre class="screen"> -<code class="computeroutput">Joined domain DOM.</code> -</pre><p> -</p><p> -<a class="indexterm" name="id342340"></a> -<a class="indexterm" name="id342352"></a> -<a class="indexterm" name="id342358"></a> -Where Active Directory is used, the command used to join the ADS domain is: -</p><pre class="screen"> -<code class="prompt">root# </code> net ads join -U<em class="replaceable"><code>Administrator%password</code></em> -</pre><p> -And the following output is indicative of a successful outcome: -</p><pre class="screen"> -<code class="computeroutput">Joined SERV1 to realm MYREALM.</code> -</pre><p> -</p><p> -Refer to the <code class="literal">net</code> man page and to <a class="link" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">the chapter on remote -administration</a> for further information. -</p><p> -<a class="indexterm" name="id342412"></a> -<a class="indexterm" name="id342418"></a> -<a class="indexterm" name="id342425"></a> -This process joins the server to the domain without separately having to create the machine -trust account on the PDC beforehand. -</p><p> -<a class="indexterm" name="id342436"></a> -<a class="indexterm" name="id342446"></a> -<a class="indexterm" name="id342453"></a> -<a class="indexterm" name="id342460"></a> -This command goes through the machine account password change protocol, then writes the new (random) machine -account password for this Samba server into a file in the same directory in which a smbpasswd file would be -normally stored. The trust account information that is needed by the DMS is written into the file -<code class="filename">/usr/local/samba/private/secrets.tdb</code> or <code class="filename">/etc/samba/secrets.tdb</code>. -</p><p> -<a class="indexterm" name="id342484"></a> -<a class="indexterm" name="id342491"></a> -This file is created and owned by root and is not readable by any other user. It is -the key to the domain-level security for your system and should be treated as carefully -as a shadow password file. -</p><p> -<a class="indexterm" name="id342503"></a> -<a class="indexterm" name="id342510"></a> -<a class="indexterm" name="id342516"></a> -Finally, restart your Samba daemons and get ready for clients to begin using domain -security. The way you can restart your Samba daemons depends on your distribution, -but in most cases the following will suffice: -</p><pre class="screen"> -<code class="prompt">root# </code>/etc/init.d/samba restart -</pre><p> -</p></div><div class="sect2" title="Why Is This Better Than security = server?"><div class="titlepage"><div><div><h3 class="title"><a name="id342539"></a>Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</h3></div></div></div><p> -<a class="indexterm" name="id342552"></a> -<a class="indexterm" name="id342559"></a> -<a class="indexterm" name="id342566"></a> -Currently, domain security in Samba does not free you from having to create local UNIX users to represent the -users attaching to your server. This means that if domain user <code class="constant">DOM\fred</code> attaches to your -domain security Samba server, there needs to be a local UNIX user fred to represent that user in the UNIX file -system. This is similar to the older Samba security mode <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a>, where Samba would pass through the authentication request to a Windows -NT server in the same way as a Windows 95 or Windows 98 server would. -</p><p> -<a class="indexterm" name="id342596"></a> -<a class="indexterm" name="id342602"></a> -<a class="indexterm" name="id342609"></a> -Please refer to <a class="link" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>, for information on a system -to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups. -</p><p> -<a class="indexterm" name="id342627"></a> -<a class="indexterm" name="id342633"></a> -<a class="indexterm" name="id342640"></a> -The advantage of domain-level security is that the authentication in domain-level security is passed down the -authenticated RPC channel in exactly the same way that an NT server would do it. This means Samba servers now -participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba -servers into a resource domain and have the authentication passed on from a resource domain PDC to an account -domain PDC). -</p><p> -<a class="indexterm" name="id342654"></a> -<a class="indexterm" name="id342661"></a> -<a class="indexterm" name="id342667"></a> -In addition, with <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a>, every Samba daemon on a server has to -keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the -connection resources on a Microsoft NT server and cause it to run out of available connections. With -<a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = domain</a>, however, the Samba daemons connect to the PDC or BDC -only for as long as is necessary to authenticate the user and then drop the connection, thus conserving PDC -connection resources. -</p><p> -<a class="indexterm" name="id342702"></a> -<a class="indexterm" name="id342708"></a> -<a class="indexterm" name="id342715"></a> -<a class="indexterm" name="id342721"></a> -Finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the -authentication reply, the Samba server gets the user identification information such as the user SID, the list -of NT groups the user belongs to, and so on. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Much of the text of this document was first published in the Web magazine -<a class="ulink" href="http://www.linuxworld.com" target="_top"><span class="emphasis"><em>LinuxWorld</em></span></a> as the article <a class="ulink" href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" target="_top">http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html</a> -<span class="emphasis"><em>Doing the NIS/NT Samba</em></span>. -</p></div></div></div><div class="sect1" title="Samba ADS Domain Membership"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ads-member"></a>Samba ADS Domain Membership</h2></div></div></div><p> -<a class="indexterm" name="id342768"></a> -<a class="indexterm" name="id342774"></a> -<a class="indexterm" name="id342783"></a> -<a class="indexterm" name="id342790"></a> -This is a rough guide to setting up Samba-3 with Kerberos authentication against a -Windows 200x KDC. A familiarity with Kerberos is assumed. -</p><div class="sect2" title="Configure smb.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id342799"></a>Configure <code class="filename">smb.conf</code></h3></div></div></div><p> -You must use at least the following three options in <code class="filename">smb.conf</code>: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id342824"></a><em class="parameter"><code>realm = your.kerberos.REALM</code></em></td></tr><tr><td><a class="indexterm" name="id342836"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td># The following parameter need only be specified if present.</td></tr><tr><td># The default setting if not present is Yes.</td></tr><tr><td><a class="indexterm" name="id342855"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr></table><p> -<a class="indexterm" name="id342869"></a> -<a class="indexterm" name="id342875"></a> -<a class="indexterm" name="id342882"></a> -<a class="indexterm" name="id342888"></a> -<a class="indexterm" name="id342895"></a> -In case samba cannot correctly identify the appropriate ADS server using the realm name, use the -<a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a> option in <code class="filename">smb.conf</code>: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id342926"></a><em class="parameter"><code>password server = your.kerberos.server</code></em></td></tr></table><p> -The most common reason for which Samba may not be able to locate the ADS domain controller is a consequence of -sites maintaining some DNS servers on UNIX systems without regard for the DNS requirements of the ADS -infrastructure. There is no harm in specifying a preferred ADS domain controller using the <em class="parameter"><code>password -server</code></em>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id342950"></a> -<a class="indexterm" name="id342957"></a> -You do <span class="emphasis"><em>not</em></span> need an smbpasswd file, and older clients will be authenticated as -if <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = domain</a>, although it will not do any harm and -allows you to have local users not in the domain. -</p></div></div><div class="sect2" title="Configure /etc/krb5.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id342981"></a>Configure <code class="filename">/etc/krb5.conf</code></h3></div></div></div><p> -<a class="indexterm" name="id342993"></a> -<a class="indexterm" name="id343000"></a> -<a class="indexterm" name="id343009"></a> -<a class="indexterm" name="id343016"></a> -With both MIT and Heimdal Kerberos, it is unnecessary to configure the <code class="filename">/etc/krb5.conf</code>, -and it may be detrimental. -</p><p> -<a class="indexterm" name="id343032"></a> -<a class="indexterm" name="id343039"></a> -<a class="indexterm" name="id343046"></a> -<a class="indexterm" name="id343053"></a> -<a class="indexterm" name="id343059"></a> -Microsoft ADS automatically create SRV records in the DNS zone -<em class="parameter"><code>_kerberos._tcp.REALM.NAME</code></em> for each KDC in the realm. This is part -of the installation and configuration process used to create an Active Directory domain. -A KDC is a Kerberos Key Distribution Center and forms an integral part of the Microsoft -active directory infrastructure. -</p><p> -<a class="indexterm" name="id343078"></a> -<a class="indexterm" name="id343085"></a> -<a class="indexterm" name="id343092"></a> -<a class="indexterm" name="id343098"></a> -<a class="indexterm" name="id343105"></a> -<a class="indexterm" name="id343112"></a> -UNIX systems can use kinit and the DES-CBC-MD5 or DES-CBC-CRC encryption types to authenticate to the Windows -2000 KDC. For further information regarding Windows 2000 ADS kerberos interoperability please refer to the -Microsoft Windows 2000 Kerberos <a class="ulink" href="http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp" target="_top">Interoperability</a> -guide. Another very useful document that may be referred to for general information regarding Kerberos -interoperability is <a class="ulink" href="http://www.ietf.org/rfc/rfc1510.txt?number=1510" target="_top">RFC1510</a>. This RFC -explains much of the magic behind the operation of Kerberos. -</p><p> -<a class="indexterm" name="id343138"></a> -<a class="indexterm" name="id343145"></a> -<a class="indexterm" name="id343152"></a> -<a class="indexterm" name="id343159"></a> -<a class="indexterm" name="id343165"></a> -<a class="indexterm" name="id343172"></a> -MIT's, as well as Heimdal's, recent KRB5 libraries default to checking for SRV records, so they will -automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> only allows specifying -a single KDC, even there if there may be more than one. Using the DNS lookup allows the KRB5 -libraries to use whichever KDCs are available. -</p><p> -<a class="indexterm" name="id343191"></a> -When manually configuring <code class="filename">krb5.conf</code>, the minimal configuration is: -</p><pre class="screen"> -[libdefaults] - default_realm = YOUR.KERBEROS.REALM - -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } - -[domain_realms] - .kerberos.server = YOUR.KERBEROS.REALM -</pre><p> -</p><p> -<a class="indexterm" name="id343214"></a> -When using Heimdal versions before 0.6, use the following configuration settings: -</p><pre class="screen"> -[libdefaults] - default_realm = YOUR.KERBEROS.REALM - default_etypes = des-cbc-crc des-cbc-md5 - default_etypes_des = des-cbc-crc des-cbc-md5 - -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } - -[domain_realms] - .kerberos.server = YOUR.KERBEROS.REALM -</pre><p> -</p><p> -<a class="indexterm" name="id343233"></a> -<a class="indexterm" name="id343240"></a> -Test your config by doing a <strong class="userinput"><code>kinit -<em class="replaceable"><code>USERNAME</code></em>@<em class="replaceable"><code>REALM</code></em></code></strong> and -making sure that your password is accepted by the Win2000 KDC. -</p><p> -<a class="indexterm" name="id343262"></a> -<a class="indexterm" name="id343269"></a> -<a class="indexterm" name="id343276"></a> -<a class="indexterm" name="id343282"></a> -With Heimdal versions earlier than 0.6.x you can use only newly created accounts -in ADS or accounts that have had the password changed once after migration, or -in case of <code class="constant">Administrator</code> after installation. At the -moment, a Windows 2003 KDC can only be used with Heimdal releases later than 0.6 -(and no default etypes in krb5.conf). Unfortunately, this whole area is still -in a state of flux. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id343300"></a> -<a class="indexterm" name="id343307"></a> -<a class="indexterm" name="id343314"></a> -The realm must be in uppercase or you will get a <span class="quote">“<span class="quote"><span class="errorname">Cannot find KDC for -requested realm while getting initial credentials</span></span>”</span> error (Kerberos -is case-sensitive!). -</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id343330"></a> -<a class="indexterm" name="id343337"></a> -<a class="indexterm" name="id343344"></a> -<a class="indexterm" name="id343351"></a> -Time between the two servers must be synchronized. You will get a <span class="quote">“<span class="quote"><span class="errorname">kinit(v5): Clock skew too -great while getting initial credentials</span></span>”</span> if the time difference (clock skew) is more than five minutes. -</p></div><p> -<a class="indexterm" name="id343367"></a> -<a class="indexterm" name="id343374"></a> -Clock skew limits are configurable in the Kerberos protocols. The default setting is five minutes. -</p><p> -<a class="indexterm" name="id343385"></a> -<a class="indexterm" name="id343391"></a> -<a class="indexterm" name="id343398"></a> -<a class="indexterm" name="id343405"></a> -You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that -this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain -attached) or it can be the NetBIOS name followed by the realm. -</p><p> -<a class="indexterm" name="id343417"></a> -<a class="indexterm" name="id343424"></a> -<a class="indexterm" name="id343430"></a> -The easiest way to ensure you get this right is to add a <code class="filename">/etc/hosts</code> entry mapping the IP -address of your KDC to its NetBIOS name. If you do not get this correct, then you will get a <span class="errorname">local -error</span> when you try to join the realm. -</p><p> -<a class="indexterm" name="id343452"></a> -<a class="indexterm" name="id343459"></a> -<a class="indexterm" name="id343466"></a> -<a class="indexterm" name="id343472"></a> -If all you want is Kerberos support in <span class="application">smbclient</span>, then you can skip directly to <a class="link" href="domain-member.html#ads-test-smbclient" title="Testing with smbclient">Testing with <span class="application">smbclient</span></a> now. <a class="link" href="domain-member.html#ads-create-machine-account" title="Create the Computer Account">Create the Computer Account</a> and <a class="link" href="domain-member.html#ads-test-server" title="Testing Server Setup">Testing Server Setup</a> are needed only if you want Kerberos support for <span class="application">smbd</span> -and <span class="application">winbindd</span>. -</p></div><div class="sect2" title="Create the Computer Account"><div class="titlepage"><div><div><h3 class="title"><a name="ads-create-machine-account"></a>Create the Computer Account</h3></div></div></div><p> -<a class="indexterm" name="id343538"></a> -<a class="indexterm" name="id343544"></a> -<a class="indexterm" name="id343551"></a> -<a class="indexterm" name="id343558"></a> -As a user who has write permission on the Samba private directory (usually root), run: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>net ads join -U Administrator%password</code></strong> -</pre><p> -The Administrator account can be any account that has been designated in the ADS domain security settings with -permission to add machines to the ADS domain. It is, of course, a good idea to use an account other than Administrator. -On the UNIX/Linux system, this command must be executed by an account that has UID=0 (root). -</p><p> -<a class="indexterm" name="id343589"></a> -<a class="indexterm" name="id343595"></a> -<a class="indexterm" name="id343602"></a> -<a class="indexterm" name="id343609"></a> -<a class="indexterm" name="id343616"></a> -<a class="indexterm" name="id343622"></a> -When making a Windows client a member of an ADS domain within a complex organization, you -may want to create the machine trust account within a particular organizational unit. Samba-3 permits -this to be done using the following syntax: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>kinit Administrator@your.kerberos.REALM</code></strong> -<code class="prompt">root# </code> <strong class="userinput"><code>net ads join createcomputer="organizational_unit"</code></strong> -</pre><p> -Your ADS manager will be able to advise what should be specified for the "organizational_unit" parameter. -</p><p> -<a class="indexterm" name="id343669"></a> -<a class="indexterm" name="id343676"></a> -<a class="indexterm" name="id343682"></a> -<a class="indexterm" name="id343689"></a> -For example, you may want to create the machine trust account in a container called <span class="quote">“<span class="quote">Servers</span>”</span> -under the organizational directory <span class="quote">“<span class="quote">Computers/BusinessUnit/Department,</span>”</span> like this: -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>net ads join "Computers/BusinessUnit/Department/Servers"</code></strong> -</pre><p> -This command will place the Samba server machine trust account in the container -<code class="literal">Computers/BusinessUnit/Department/Servers</code>. The container should exist in the ADS directory -before executing this command. Please note that forward slashes must be used, because backslashes are both -valid characters in an OU name and used as escapes for other characters. If you need a backslash in an OU -name, it may need to be quadrupled to pass through the shell escape and ldap escape. -</p><div class="sect3" title="Possible Errors"><div class="titlepage"><div><div><h4 class="title"><a name="id343732"></a>Possible Errors</h4></div></div></div><p> -</p><div class="variablelist"><dl><dt><span class="term"><span class="errorname">ADS support not compiled in</span></span></dt><dd><p> - <a class="indexterm" name="id343751"></a> - <a class="indexterm" name="id343758"></a> - <a class="indexterm" name="id343765"></a> - Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the - Kerberos libraries and headers files are installed. - </p></dd><dt><span class="term"><span class="errorname">net ads join prompts for user name</span></span></dt><dd><p> - <a class="indexterm" name="id343783"></a> - <a class="indexterm" name="id343790"></a> - You need to login to the domain using <strong class="userinput"><code>kinit - <em class="replaceable"><code>USERNAME</code></em>@<em class="replaceable"><code>REALM</code></em></code></strong>. - <em class="replaceable"><code>USERNAME</code></em> must be a user who has rights to add a machine to the domain. - </p></dd><dt><span class="term">Unsupported encryption/or checksum types</span></dt><dd><p> - <a class="indexterm" name="id343822"></a> - <a class="indexterm" name="id343829"></a> - <a class="indexterm" name="id343836"></a> - Make sure that the <code class="filename">/etc/krb5.conf</code> is correctly configured - for the type and version of Kerberos installed on the system. - </p></dd></dl></div><p> -</p></div></div><div class="sect2" title="Testing Server Setup"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-server"></a>Testing Server Setup</h3></div></div></div><p> -<a class="indexterm" name="id343866"></a> -<a class="indexterm" name="id343872"></a> -<a class="indexterm" name="id343879"></a> -If the join was successful, you will see a new computer account with the -NetBIOS name of your Samba server in Active Directory (in the <span class="quote">“<span class="quote">Computers</span>”</span> -folder under Users and Computers. -</p><p> -<a class="indexterm" name="id343894"></a> -<a class="indexterm" name="id343901"></a> -<a class="indexterm" name="id343910"></a> -On a Windows 2000 client, try <strong class="userinput"><code>net use * \\server\share</code></strong>. It should be possible -to login with Kerberos without needing to know a password. If this fails, then run -<strong class="userinput"><code>klist tickets</code></strong>. Did you get a ticket for the server? Does it have -an encryption type of DES-CBC-MD5? -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id343935"></a> -<a class="indexterm" name="id343942"></a> -<a class="indexterm" name="id343948"></a> -Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding. -</p></div></div><div class="sect2" title="Testing with smbclient"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-smbclient"></a>Testing with <span class="application">smbclient</span></h3></div></div></div><p> -<a class="indexterm" name="id343974"></a> -<a class="indexterm" name="id343980"></a> -<a class="indexterm" name="id343987"></a> -On your Samba server try to login to a Windows 2000 server or your Samba -server using <span class="application">smbclient</span> and Kerberos. Use <span class="application">smbclient</span> as usual, but -specify the <code class="option">-k</code> option to choose Kerberos authentication. -</p></div><div class="sect2" title="Notes"><div class="titlepage"><div><div><h3 class="title"><a name="id344013"></a>Notes</h3></div></div></div><p> -<a class="indexterm" name="id344021"></a> -<a class="indexterm" name="id344028"></a> -<a class="indexterm" name="id344035"></a> -You must change the administrator password at least once after installing a domain controller, -to create the right encryption types. -</p><p> -<a class="indexterm" name="id344046"></a> -<a class="indexterm" name="id344053"></a> -<a class="indexterm" name="id344059"></a> -Windows 200x does not seem to create the <em class="parameter"><code>_kerberos._udp</code></em> and -<em class="parameter"><code>_ldap._tcp</code></em> in the default DNS setup. Perhaps this will be fixed later in service packs. -</p></div></div><div class="sect1" title="Sharing User ID Mappings between Samba Domain Members"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344082"></a>Sharing User ID Mappings between Samba Domain Members</h2></div></div></div><p> -<a class="indexterm" name="id344090"></a> -<a class="indexterm" name="id344097"></a> -<a class="indexterm" name="id344104"></a> -<a class="indexterm" name="id344110"></a> -Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs). -These mappings are done by the <em class="parameter"><code>idmap</code></em> subsystem of Samba. -</p><p> -<a class="indexterm" name="id344128"></a> -<a class="indexterm" name="id344134"></a> -<a class="indexterm" name="id344141"></a> -In some cases it is useful to share these mappings between Samba domain members, -so <span class="emphasis"><em>name->id</em></span> mapping is identical on all machines. -This may be needed in particular when sharing files over both CIFS and NFS. -</p><p> -<a class="indexterm" name="id344157"></a> -<a class="indexterm" name="id344163"></a> -To use the <span class="emphasis"><em>LDAP</em></span> <em class="parameter"><code>ldap idmap suffix</code></em>, set: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id344186"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr></table><p> -See the <code class="filename">smb.conf</code> man page entry for the <a class="link" href="smb.conf.5.html#LDAPIDMAPSUFFIX" target="_top">ldap idmap suffix</a> -parameter for further information. -</p><p> -<a class="indexterm" name="id344222"></a> -<a class="indexterm" name="id344228"></a> -<a class="indexterm" name="id344235"></a> -Do not forget to specify also the <a class="link" href="smb.conf.5.html#LDAPADMINDN" target="_top">ldap admin dn</a> -and to make certain to set the LDAP administrative password into the <code class="filename">secrets.tdb</code> using: -</p><pre class="screen"> -<code class="prompt">root# </code> smbpasswd -w ldap-admin-password -</pre><p> -In place of <code class="literal">ldap-admin-password</code>, substitute the LDAP administration password for your -system. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id344280"></a>Common Errors</h2></div></div></div><p> -<a class="indexterm" name="id344287"></a> -<a class="indexterm" name="id344294"></a> -In the process of adding/deleting/re-adding domain member machine trust accounts, there are -many traps for the unwary player and many <span class="quote">“<span class="quote">little</span>”</span> things that can go wrong. -It is particularly interesting how often subscribers on the Samba mailing list have concluded -after repeated failed attempts to add a machine account that it is necessary to <span class="quote">“<span class="quote">reinstall</span>”</span> -MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type -of problem. The real solution is often quite simple, and with an understanding of how MS Windows -networking functions, it is easy to overcome. -</p><div class="sect2" title="Cannot Add Machine Back to Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id344314"></a>Cannot Add Machine Back to Domain</h3></div></div></div><p> -<a class="indexterm" name="id344322"></a> -<a class="indexterm" name="id344329"></a> -<span class="quote">“<span class="quote">A Windows workstation was reinstalled. The original domain machine trust -account was deleted and added immediately. The workstation will not join the domain if I use -the same machine name. Attempts to add the machine fail with a message that the machine already -exists on the network I know it does not. Why is this failing?</span>”</span> -</p><p> -<a class="indexterm" name="id344348"></a> -<a class="indexterm" name="id344354"></a> -The original name is still in the NetBIOS name cache and must expire after machine account -deletion before adding that same name as a domain member again. The best advice is to delete -the old account and then add the machine with a new name. Alternately, the name cache can be flushed and -reloaded with current data using the <code class="literal">nbtstat</code> command on the Windows client: -</p><pre class="screen"> -<code class="prompt">C:\> </code> nbtstat -R -</pre><p> -</p></div><div class="sect2" title="Adding Machine to Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id344384"></a>Adding Machine to Domain Fails</h3></div></div></div><p> -<a class="indexterm" name="id344391"></a> -<a class="indexterm" name="id344398"></a> -<span class="quote">“<span class="quote">Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a -message that says, <span class="errorname">"The machine could not be added at this time, there is a network problem. -Please try again later."</span> Why?</span>”</span> -</p><p> -<a class="indexterm" name="id344417"></a> -You should check that there is an <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> in your <code class="filename">smb.conf</code> -file. If there is not, please add one that is appropriate for your OS platform. If a script -has been defined, you will need to debug its operation. Increase the <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> -in the <code class="filename">smb.conf</code> file to level 10, then try to rejoin the domain. Check the logs to see which -operation is failing. -</p><p> -Possible causes include: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id344470"></a> -<a class="indexterm" name="id344477"></a> - The script does not actually exist, or could not be located in the path specified. - </p><p> -<a class="indexterm" name="id344487"></a> -<a class="indexterm" name="id344493"></a> - <span class="emphasis"><em>Corrective action:</em></span> Fix it. Make sure when run manually - that the script will add both the UNIX system account and the Samba SAM account. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id344509"></a> -<a class="indexterm" name="id344516"></a> - The machine could not be added to the UNIX system accounts file <code class="filename">/etc/passwd</code>. - </p><p> -<a class="indexterm" name="id344532"></a> -<a class="indexterm" name="id344539"></a> - <span class="emphasis"><em>Corrective action:</em></span> Check that the machine name is a legal UNIX - system account name. If the UNIX utility <code class="literal">useradd</code> is called, - then make sure that the machine name you are trying to add can be added using this - tool. <code class="literal">Useradd</code> on some systems will not allow any uppercase characters - nor will it allow spaces in the name. - </p></li></ul></div><p> -<a class="indexterm" name="id344568"></a> -<a class="indexterm" name="id344575"></a> -<a class="indexterm" name="id344582"></a> -The <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> does not create the -machine account in the Samba backend database; it is there only to create a UNIX system -account to which the Samba backend database account can be mapped. -</p></div><div class="sect2" title="I Can't Join a Windows 2003 PDC"><div class="titlepage"><div><div><h3 class="title"><a name="id344604"></a>I Can't Join a Windows 2003 PDC</h3></div></div></div><p> -<a class="indexterm" name="id344612"></a> -<a class="indexterm" name="id344618"></a> -<a class="indexterm" name="id344625"></a> -<a class="indexterm" name="id344631"></a> - Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba-3.0. - Set <a class="link" href="smb.conf.5.html#CLIENTUSESPNEGO" target="_top">client use spnego = yes</a> when communicating - with a Windows 2003 server. This will not interfere with other Windows clients that do not - support the more advanced security features of Windows 2003 because the client will simply - negotiate a protocol that both it and the server suppport. This is a well-known fall-back facility - that is built into the SMB/CIFS protocols. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Backup Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Standalone Servers</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/go01.html b/docs/htmldocs/Samba3-HOWTO/go01.html deleted file mode 100644 index f007c94ef4..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/go01.html +++ /dev/null @@ -1,100 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Glossary</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="apa.html" title="Appendix A. GNU General Public License version 3"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Glossary</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="apa.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="glossary" title="Glossary"><div class="titlepage"><div><div><h2 class="title"><a name="id455752"></a>Glossary</h2></div></div></div><dl><dt>Access Control List</dt><dd><p> - A detailed list of permissions granted to users or groups with respect to file and network resource access. - See <a class="link" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">“File, Directory, and Share Access Controls”</a>, - for details.</p></dd><dt>Active Directory Service</dt><dd><p> - A service unique to Microsoft Windows 200x servers that provides a centrally managed - directory for management of user identities and computer objects, as well as the permissions - each user or computer may be granted to access - distributed network resources. ADS uses Kerberos-based - authentication and LDAP over Kerberos for directory access. - </p></dd><dt>Common Internet File System</dt><dd><p>The new name for SMB. Microsoft renamed the - SMB protocol to CIFS during the Internet hype in the nineties. - At about the time that the SMB protocol was renamed to CIFS, an - additional dialect of the SMB protocol was in development. - The need for the deployment of the NetBIOS layer was also - removed, thus paving the way for use of the SMB protocol natively - over TCP/IP (known as NetBIOS-less SMB or <span class="quote">“<span class="quote">naked</span>”</span> TCP transport). - </p></dd><dt>Common UNIX Printing System</dt><dd><p> - A recent implementation of a high capability printing system for UNIX developed by - <a class="ulink" href="http://www.easysw.com/" target="_top">http://www.easysw.com/</a>. The design objective of CUPS was to provide - a rich print processing system that has built-in intelligence capable of correctly rendering (processing) - a file that is submitted for printing even if it was formatted for an entirely different printer. - </p></dd><dt>Domain Master Browser</dt><dd><p>The domain master browser maintains a list of all the servers that - have announced their services within a given workgroup or NT domain. See <a class="link" href="NetworkBrowsing.html#DMB" title="Configuring Workgroup Browsing">“Configuring Workgroup Browsing”</a> for details. - </p></dd><dt>Domain Name Service</dt><dd><p> - A protocol by which computer hostnames may be resolved to the matching IP address/es. DNS is implemented - by the Berkeley Internet Name Daemon. There exists a recent version of DNS that allows dynamic name registration - by network clients or by a DHCP server. This recent protocol is known as dynamic DNS (DDNS). - </p></dd><dt>Dynamic Host Configuration Protocol</dt><dd><p> - A protocol that was based on the BOOTP protocol that may be used to dynamically assign an IP address, - from a reserved pool of addresses, to a network client or device. Additionally, DHCP may assign all - network configuration settings and may be used to register a computer name and its address with a - dynamic DNS server. - </p></dd><dt>Extended Meta-file Format</dt><dd><p> - An intermediate file format used by Microsoft Windows-based servers and clients. EMF files may be - rendered into a page description language by a print processor. - </p></dd><dt>Graphical Device Interface</dt><dd><p> - Device-independent format for printing used by Microsoft Windows. - It is quite similar to what PostScript is for UNIX. Printing jobs are first generated in GDI and - then converted to a device-specific format. See <a class="link" href="CUPS-printing.html#gdipost" title="GDI on Windows, PostScript on UNIX">“GDI on Windows, PostScript on UNIX”</a> for details. - </p></dd><dt>Group IDentifier</dt><dd><p> - The UNIX system group identifier; on older systems, a 32-bit unsigned integer, and on newer systems - an unsigned 64-bit integer. The GID is used in UNIX-like operating systems for all group-level access - control. - </p></dd><dt>Internet Print Protocol</dt><dd><p>An IETF standard for network printing. CUPS - implements IPP.</p></dd><dt>Key Distribution Center</dt><dd><p>The Kerberos authentication protocol makes use of security keys (also called a ticket) - by which access to network resources is controlled. The issuing of Kerberos tickets is effected by - a KDC.</p></dd><dt>NetBIOS Extended User Interface</dt><dd><p> - Very simple network protocol invented by IBM and Microsoft. It is used - to do NetBIOS over Ethernet with low overhead. NetBEUI is a nonroutable - protocol. - </p></dd><dt>Network Basic Input/Output System</dt><dd><p> - NetBIOS is a simple application programming interface (API) invented in the 1980s - that allows programs to send data to certain network names. - NetBIOS is always run over another network protocol such - as IPX/SPX, TCP/IP, or Logical Link Control (LLC). NetBIOS run over LLC - is best known as NetBEUI (NetBIOS Extended User Interface a complete misnomer!). - </p></dd><dt>NetBT</dt><dd><p>Protocol for transporting NetBIOS frames over TCP/IP. Uses ports 137, 138, and 139. - NetBT is a fully routable protocol. - </p></dd><dt>Local Master Browser</dt><dd><p>The local master browser maintains a list - of all servers that have announced themselves within a given workgroup or NT domain on a particular - broadcast-isolated subnet. See <a class="link" href="NetworkBrowsing.html#DMB" title="Configuring Workgroup Browsing">“Configuring Workgroup Browsing”</a> for details. - </p></dd><dt>Printer Command Language</dt><dd><p> - A printer page description language that was developed by Hewlett-Packard - and is in common use today. - </p></dd><dt>Portable Document Format</dt><dd><p> - A highly compressed document format, based on PostScript, used as a document distribution format - that is supported by Web browsers as well as many applications. Adobe also distributes an application - called <span class="quote">“<span class="quote">Acrobat,</span>”</span> which is a PDF reader. - </p></dd><dt>Page Description Language</dt><dd><p>A language for describing the layout and contents of a printed page. - The best-known PDLs are Adobe PostScript and Hewlett-Packard PCL (Printer Control Language), - both of which are used to control laser printers.</p></dd><dt>PostScript Printer Description</dt><dd><p> - PPDs specify and control options supported by PostScript printers, such as duplexing, stapling, - and DPI. See also <a class="link" href="CUPS-printing.html#post-and-ghost" title="PostScript and Ghostscript">“PostScript and Ghostscript”</a>. PPD files can be read by printing applications - to enable correct PostScript page layout for a particular PostScript printer. - </p></dd><dt>Remote Procedure Call</dt><dd><p> - RPCs are a means for executing network operations. The RPC protocol is independent of transport protocols. RPC - does not try to implement any kind of reliability and the application that uses RPCs must be aware of the type - of transport protocol underneath RPC. An RPC is like a programmatic jump subroutine over a network. RPCs used - in the UNIX environment are specified in RFC 1050. RPC is a powerful technique for constructing distributed, - client-server based applications. It is based on extending the notion of conventional, or local procedure - calling, so that the called procedure need not exist in the same address space as the calling procedure. The - two processes may be on the same system, or they may be on different systems with a network connecting them. - By using RPC, programmers of distributed applications avoid the details of the interface with the network. The - transport independence of RPC isolates the application from the physical and logical elements of the data - communications mechanism and allows the application to use a variety of transports. - </p></dd><dt>Server Message Block</dt><dd><p> - SMB was the original name of the protocol `spoken' by - Samba. It was invented in the 1980s by IBM and adopted - and extended further by Microsoft. Microsoft - renamed the protocol to CIFS during the Internet hype in the - 1990s. - </p></dd><dt>User IDentifier</dt><dd><p> - The UNIX system user identifier; on older systems a 32-bit unsigned integer, and on newer systems, - an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user-level access - control. - </p></dd><dt>Universal Naming Convention</dt><dd><p>A syntax for specifying the location of network resources (such as file shares). - The UNC syntax was developed in the early days of MS DOS 3.x and is used internally by the SMB protocol. - </p></dd></dl></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="apa.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Appendix A. - <acronym class="acronym">GNU</acronym> General Public License version 3 - </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/groupmapping.html b/docs/htmldocs/Samba3-HOWTO/groupmapping.html deleted file mode 100644 index cce62c7d95..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/groupmapping.html +++ /dev/null @@ -1,505 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Group Mapping: MS Windows and UNIX</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Group Mapping: MS Windows and UNIX</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="NetCommand.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 12. Group Mapping: MS Windows and UNIX"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Group Mapping: MS Windows and UNIX</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="groupmapping.html#id364981">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="groupmapping.html#id365375">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id365690">Warning: User Private Group Problems</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id366270">Important Administrative Information</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367100">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id367172">Configuration Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367182">Sample <code class="filename">smb.conf</code> Add Group Script</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367342">Script to Configure Group Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id367456">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367467">Adding Groups Fails</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367547">Adding Domain Users to the Workstation Power Users Group</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id364863"></a> -<a class="indexterm" name="id364872"></a> -<a class="indexterm" name="id364879"></a> -<a class="indexterm" name="id364885"></a> -<a class="indexterm" name="id364892"></a> -<a class="indexterm" name="id364899"></a> - Starting with Samba-3, new group mapping functionality is available to create associations - between Windows group SIDs and UNIX group GIDs. The <code class="literal">groupmap</code> subcommand - included with the <span class="application">net</span> tool can be used to manage these associations. - </p><p> -<a class="indexterm" name="id364922"></a> -<a class="indexterm" name="id364929"></a> - The new facility for mapping NT groups to UNIX system groups allows the administrator to decide - which NT domain groups are to be exposed to MS Windows clients. Only those NT groups that map - to a UNIX group that has a value other than the default (<code class="constant">-1</code>) will be exposed - in group selection lists in tools that access domain users and groups. - </p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - <a class="indexterm" name="id364948"></a> -<a class="indexterm" name="id364955"></a> - The <em class="parameter"><code>domain admin group</code></em> parameter has been removed in Samba-3 and should no longer - be specified in <code class="filename">smb.conf</code>. In Samba-2.2.x, this parameter was used to give the listed users membership in the - <code class="constant">Domain Admins</code> Windows group, which gave local admin rights on their workstations - (in default configurations). - </p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id364981"></a>Features and Benefits</h2></div></div></div><p> - Samba allows the administrator to create MS Windows NT4/200x group accounts and to - arbitrarily associate them with UNIX/Linux group accounts. - </p><p> - <a class="indexterm" name="id364993"></a> - <a class="indexterm" name="id364999"></a> - <a class="indexterm" name="id365006"></a> -<a class="indexterm" name="id365013"></a> -<a class="indexterm" name="id365019"></a> -<a class="indexterm" name="id365026"></a> -<a class="indexterm" name="id365033"></a> - Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools. - Appropriate interface scripts should be provided in <code class="filename">smb.conf</code> if it is desired that UNIX/Linux system - accounts should be automatically created when these tools are used. In the absence of these scripts, and - so long as <code class="literal">winbindd</code> is running, Samba group accounts that are created using these - tools will be allocated UNIX UIDs and GIDs from the ID range specified by the - <a class="link" href="smb.conf.5.html#IDMAPUID" target="_top">idmap uid</a>/<a class="link" href="smb.conf.5.html#IDMAPGID" target="_top">idmap gid</a> - parameters in the <code class="filename">smb.conf</code> file. - </p><div class="figure"><a name="idmap-sid2gid"></a><p class="title"><b>Figure 12.1. IDMAP: Group SID-to-GID Resolution.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-sid2gid.png" width="270" alt="IDMAP: Group SID-to-GID Resolution."></div></div></div><br class="figure-break"><div class="figure"><a name="idmap-gid2sid"></a><p class="title"><b>Figure 12.2. IDMAP: GID Resolution to Matching SID.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-gid2sid.png" width="270" alt="IDMAP: GID Resolution to Matching SID."></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id365170"></a> -<a class="indexterm" name="id365177"></a> -<a class="indexterm" name="id365184"></a> -<a class="indexterm" name="id365193"></a> - In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to - <a class="link" href="groupmapping.html#idmap-sid2gid" title="Figure 12.1. IDMAP: Group SID-to-GID Resolution.">IDMAP: Group SID-to-GID Resolution</a> and <a class="link" href="groupmapping.html#idmap-gid2sid" title="Figure 12.2. IDMAP: GID Resolution to Matching SID.">IDMAP: GID Resolution to Matching SID</a>. The <code class="literal">net groupmap</code> is - used to establish UNIX group to NT SID mappings as shown in <a class="link" href="groupmapping.html#idmap-store-gid2sid" title="Figure 12.3. IDMAP Storing Group Mappings.">IDMAP: storing - group mappings</a>. - </p><div class="figure"><a name="idmap-store-gid2sid"></a><p class="title"><b>Figure 12.3. IDMAP Storing Group Mappings.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-store-gid2sid.png" width="270" alt="IDMAP Storing Group Mappings."></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id365273"></a> - <a class="indexterm" name="id365280"></a> -<a class="indexterm" name="id365286"></a> -<a class="indexterm" name="id365293"></a> - Administrators should be aware that where <code class="filename">smb.conf</code> group interface scripts make - direct calls to the UNIX/Linux system tools (the shadow utilities, <code class="literal">groupadd</code>, - <code class="literal">groupdel</code>, and <code class="literal">groupmod</code>), the resulting UNIX/Linux group names will be subject - to any limits imposed by these tools. If the tool does not allow uppercase characters - or space characters, then the creation of an MS Windows NT4/200x-style group of - <code class="literal">Engineering Managers</code> will attempt to create an identically named - UNIX/Linux group, an attempt that will of course fail. - </p><p> - <a class="indexterm" name="id365337"></a> - <a class="indexterm" name="id365343"></a> - There are several possible workarounds for the operating system tools limitation. One - method is to use a script that generates a name for the UNIX/Linux system group that - fits the operating system limits and that then just passes the UNIX/Linux group ID (GID) - back to the calling Samba interface. This will provide a dynamic workaround solution. - </p><p> -<a class="indexterm" name="id365356"></a> - Another workaround is to manually create a UNIX/Linux group, then manually create the - MS Windows NT4/200x group on the Samba server, and then use the <code class="literal">net groupmap</code> - tool to connect the two to each other. - </p></div><div class="sect1" title="Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id365375"></a>Discussion</h2></div></div></div><p> -<a class="indexterm" name="id365383"></a> -<a class="indexterm" name="id365390"></a> - When you install <span class="application">MS Windows NT4/200x</span> on a computer, the installation - program creates default users and groups, notably the <code class="constant">Administrators</code> group, - and gives that group privileges necessary to perform essential system tasks, - such as the ability to change the date and time or to kill (or close) any process running on the - local machine. - </p><p> - <a class="indexterm" name="id365412"></a> - The <code class="constant">Administrator</code> user is a member of the <code class="constant">Administrators</code> group, and thus inherits - <code class="constant">Administrators</code> group privileges. If a <code class="constant">joe</code> user is created to be a member of the - <code class="constant">Administrators</code> group, <code class="constant">joe</code> has exactly the same rights as the user - <code class="constant">Administrator</code>. - </p><p> -<a class="indexterm" name="id365449"></a> -<a class="indexterm" name="id365456"></a> -<a class="indexterm" name="id365462"></a> -<a class="indexterm" name="id365469"></a> - When an MS Windows NT4/200x/XP machine is made a domain member, the <span class="quote">“<span class="quote">Domain Admins</span>”</span> group of the - PDC is added to the local <code class="constant">Administrators</code> group of the workstation. Every member of the - <code class="constant">Domain Admins</code> group inherits the rights of the local <code class="constant">Administrators</code> group when - logging on the workstation. - </p><p> -<a class="indexterm" name="id365496"></a> -<a class="indexterm" name="id365502"></a> - The following steps describe how to make Samba PDC users members of the <code class="constant">Domain Admins</code> group. - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - Create a UNIX group (usually in <code class="filename">/etc/group</code>); let's call it <code class="constant">domadm</code>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id365539"></a> - Add to this group the users that must be <span class="quote">“<span class="quote">Administrators</span>”</span>. For example, - if you want <code class="constant">joe, john</code>, and <code class="constant">mary</code> to be administrators, - your entry in <code class="filename">/etc/group</code> will look like this: - </p><pre class="programlisting"> - domadm:x:502:joe,john,mary - </pre><p> - </p></li><li class="listitem"><p> - Map this domadm group to the <span class="quote">“<span class="quote">Domain Admins</span>”</span> group by executing the command: - </p><p> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d</code></strong> -</pre><p> - </p><p> - <a class="indexterm" name="id365603"></a> - The quotes around <span class="quote">“<span class="quote">Domain Admins</span>”</span> are necessary due to the space in the group name. - Also make sure to leave no white space surrounding the equal character (=). - </p></li></ol></div><p> - Now <code class="constant">joe, john</code>, and <code class="constant">mary</code> are domain administrators. - </p><p> - <a class="indexterm" name="id365630"></a> - It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as - to make any UNIX group a Windows domain group. For example, if you wanted to include a - UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, - you would flag that group as a domain group by running the following on the Samba PDC: - </p><p> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d</code></strong> -</pre><p> - The <code class="literal">ntgroup</code> value must be in quotes if it contains space characters to prevent - the space from being interpreted as a command delimiter. - </p><p> -<a class="indexterm" name="id365672"></a> -<a class="indexterm" name="id365679"></a> - Be aware that the RID parameter is an unsigned 32-bit integer that should - normally start at 1000. However, this RID must not overlap with any RID assigned - to a user. Verification for this is done differently depending on the passdb backend - you are using. Future versions of the tools may perform the verification automatically, - but for now the burden is on you. - </p><div class="sect2" title="Warning: User Private Group Problems"><div class="titlepage"><div><div><h3 class="title"><a name="id365690"></a>Warning: User Private Group Problems</h3></div></div></div><p> -<a class="indexterm" name="id365698"></a> -<a class="indexterm" name="id365704"></a> -<a class="indexterm" name="id365711"></a> - Windows does not permit user and group accounts to have the same name. - This has serious implications for all sites that use private group accounts. - A private group account is an administrative practice whereby users are each - given their own group account. Red Hat Linux, as well as several free distributions - of Linux, by default create private groups. - </p><p> -<a class="indexterm" name="id365724"></a> -<a class="indexterm" name="id365731"></a> - When mapping a UNIX/Linux group to a Windows group account, all conflict can - be avoided by assuring that the Windows domain group name does not overlap - with any user account name. - </p></div><div class="sect2" title="Nested Groups: Adding Windows Domain Groups to Windows Local Groups"><div class="titlepage"><div><div><h3 class="title"><a name="id365742"></a>Nested Groups: Adding Windows Domain Groups to Windows Local Groups</h3></div></div></div><a class="indexterm" name="id365748"></a><p> -<a class="indexterm" name="id365759"></a> - This functionality is known as <code class="constant">nested groups</code> and was first added to - Samba-3.0.3. - </p><p> -<a class="indexterm" name="id365774"></a> - All MS Windows products since the release of Windows NT 3.10 support the use of nested groups. - Many Windows network administrators depend on this capability because it greatly simplifies security - administration. - </p><p> -<a class="indexterm" name="id365786"></a> -<a class="indexterm" name="id365792"></a> -<a class="indexterm" name="id365799"></a> -<a class="indexterm" name="id365806"></a> -<a class="indexterm" name="id365813"></a> -<a class="indexterm" name="id365820"></a> -<a class="indexterm" name="id365826"></a> - The nested group architecture was designed with the premise that day-to-day user and group membership - management should be performed on the domain security database. The application of group security - should be implemented on domain member servers using only local groups. On the domain member server, - all file system security controls are then limited to use of the local groups, which will contain - domain global groups and domain global users. - </p><p> -<a class="indexterm" name="id365840"></a> -<a class="indexterm" name="id365847"></a> -<a class="indexterm" name="id365854"></a> - You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed - the dark depths of Windows networking architecture. Consider for a moment a server on which are stored - 200,000 files, each with individual domain user and domain group settings. The company that owns the - file server is bought by another company, resulting in the server being moved to another location, and then - it is made a member of a different domain. Who would you think now owns all the files and directories? - Answer: Account Unknown. - </p><p> -<a class="indexterm" name="id365869"></a> -<a class="indexterm" name="id365876"></a> -<a class="indexterm" name="id365882"></a> -<a class="indexterm" name="id365889"></a> - Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply - by using local groups to control all file and directory access control. In this case, only the members - of the local groups will have been lost. The files and directories in the storage subsystem will still - be owned by the local groups. The same goes for all ACLs on them. It is administratively much simpler - to delete the <code class="constant">Account Unknown</code> membership entries inside local groups with appropriate - entries for domain global groups in the new domain that the server has been made a member of. - </p><p> -<a class="indexterm" name="id365908"></a> -<a class="indexterm" name="id365914"></a> -<a class="indexterm" name="id365921"></a> -<a class="indexterm" name="id365928"></a> -<a class="indexterm" name="id365935"></a> -<a class="indexterm" name="id365942"></a> -<a class="indexterm" name="id365949"></a> -<a class="indexterm" name="id365955"></a> - Another prominent example of the use of nested groups involves implementation of administrative privileges - on domain member workstations and servers. Administrative privileges are given to all members of the - built-in local group <code class="constant">Administrators</code> on each domain member machine. To ensure that all domain - administrators have full rights on the member server or workstation, on joining the domain, the - <code class="constant">Domain Admins</code> group is added to the local Administrators group. Thus everyone who is - logged into the domain as a member of the Domain Admins group is also granted local administrative - privileges on each domain member. - </p><p> -<a class="indexterm" name="id365978"></a> -<a class="indexterm" name="id365985"></a> -<a class="indexterm" name="id365992"></a> -<a class="indexterm" name="id365998"></a> - UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported - them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in - <code class="filename">/etc/group</code>. This does not work because it was not a design requirement at the time - the UNIX file system security model was implemented. Since Samba-2.2, the winbind daemon can provide - <code class="filename">/etc/group</code> entries on demand by obtaining user and group information from the domain - controller that the Samba server is a member of. - </p><p> -<a class="indexterm" name="id366024"></a> -<a class="indexterm" name="id366031"></a> -<a class="indexterm" name="id366038"></a> -<a class="indexterm" name="id366045"></a> -<a class="indexterm" name="id366052"></a> - In effect, Samba supplements the <code class="filename">/etc/group</code> data via the dynamic - <code class="literal">libnss_winbind</code> mechanism. Beginning with Samba-3.0.3, this facility is used to provide - local groups in the same manner as Windows. It works by expanding the local groups on the - fly as they are accessed. For example, the <code class="constant">Domain Users</code> group of the domain is made - a member of the local group <code class="constant">demo</code>. Whenever Samba needs to resolve membership of the - <code class="constant">demo</code> local (alias) group, winbind asks the domain controller for demo members of the Domain Users - group. By definition, it can only contain user objects, which can then be faked to be member of the - UNIX/Linux group <code class="constant">demo</code>. - </p><p> -<a class="indexterm" name="id366093"></a> -<a class="indexterm" name="id366099"></a> -<a class="indexterm" name="id366106"></a> -<a class="indexterm" name="id366113"></a> -<a class="indexterm" name="id366120"></a> -<a class="indexterm" name="id366126"></a> -<a class="indexterm" name="id366133"></a> - To enable the use of nested groups, <code class="literal">winbindd</code> must be used with NSS winbind. - Creation and administration of the local groups is done best via the Windows Domain User Manager or its - Samba equivalent, the utility <code class="literal">net rpc group</code>. Creating the local group - <code class="constant">demo</code> is achieved by executing: - </p><pre class="screen"> - <code class="prompt">root# </code> net rpc group add demo -L -Uroot%not24get - </pre><p> -<a class="indexterm" name="id366174"></a> -<a class="indexterm" name="id366180"></a> - Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U - switches for accessing the correct host with appropriate user or root privileges. Adding and removing - group members can be done via the <code class="constant">addmem</code> and <code class="constant">delmem</code> subcommands of - <code class="literal">net rpc group</code> command. For example, addition of <span class="quote">“<span class="quote">DOM\Domain Users</span>”</span> to the - local group <code class="constant">demo</code> is done by executing: - </p><pre class="screen"> - net rpc group addmem demo "DOM\Domain Users" - </pre><p> -<a class="indexterm" name="id366217"></a> -<a class="indexterm" name="id366223"></a> -<a class="indexterm" name="id366230"></a> -<a class="indexterm" name="id366237"></a> - Having completed these two steps, the execution of <code class="literal">getent group demo</code> will show demo - members of the global <code class="constant">Domain Users</code> group as members of the group - <code class="constant">demo</code>. This also works with any local or domain user. In case the domain DOM trusts - another domain, it is also possible to add global users and groups of the trusted domain as members of - <code class="constant">demo</code>. The users from the foreign domain who are members of the group that has been - added to the <code class="constant">demo</code> group now have the same local access permissions as local domain - users have. - </p></div><div class="sect2" title="Important Administrative Information"><div class="titlepage"><div><div><h3 class="title"><a name="id366270"></a>Important Administrative Information</h3></div></div></div><p> - Administrative rights are necessary in two specific forms: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>For Samba-3 domain controllers and domain member servers/clients.</p></li><li class="listitem"><p>To manage domain member Windows workstations.</p></li></ol></div><p> -<a class="indexterm" name="id366300"></a> -<a class="indexterm" name="id366306"></a> -<a class="indexterm" name="id366313"></a> - Versions of Samba up to and including 3.0.10 do not provide a means for assigning rights and privileges - that are necessary for system administration tasks from a Windows domain member client machine, so - domain administration tasks such as adding, deleting, and changing user and group account information, and - managing workstation domain membership accounts, can be handled by any account other than root. - </p><p> -<a class="indexterm" name="id366327"></a> -<a class="indexterm" name="id366334"></a> -<a class="indexterm" name="id366340"></a> - Samba-3.0.11 introduced a new privilege management interface (see <a class="link" href="rights.html" title="Chapter 15. User Rights and Privileges">User Rights and Privileges</a>) - that permits these tasks to be delegated to non-root (i.e., accounts other than the equivalent of the - MS Windows Administrator) accounts. - </p><p> -<a class="indexterm" name="id366360"></a> -<a class="indexterm" name="id366366"></a> - Administrative tasks on a Windows domain member workstation can be done by anyone who is a member of the - <code class="constant">Domain Admins</code> group. This group can be mapped to any convenient UNIX group. - </p><div class="sect3" title="Applicable Only to Versions Earlier than 3.0.11"><div class="titlepage"><div><div><h4 class="title"><a name="id366379"></a>Applicable Only to Versions Earlier than 3.0.11</h4></div></div></div><p> -<a class="indexterm" name="id366387"></a> - Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires - <code class="constant">root</code>-level privilege. The addition of a Windows client to a Samba domain involves the - addition of a user account for the Windows client. - </p><p> -<a class="indexterm" name="id366403"></a> -<a class="indexterm" name="id366410"></a> - Many UNIX administrators continue to request that the Samba Team make it possible to add Windows workstations, or - the ability to add, delete, or modify user accounts, without requiring <code class="constant">root</code> privileges. - Such a request violates every understanding of basic UNIX system security. - </p><p> -<a class="indexterm" name="id366426"></a> -<a class="indexterm" name="id366432"></a> -<a class="indexterm" name="id366439"></a> -<a class="indexterm" name="id366446"></a> -<a class="indexterm" name="id366453"></a> -<a class="indexterm" name="id366460"></a> - There is no safe way to provide access on a UNIX/Linux system without providing - <code class="constant">root</code>-level privileges. Provision of <code class="constant">root</code> privileges can be done - either by logging on to the Domain as the user <code class="constant">root</code> or by permitting particular users to - use a UNIX account that has a UID=0 in the <code class="filename">/etc/passwd</code> database. Users of such accounts - can use tools like the NT4 Domain User Manager and the NT4 Domain Server Manager to manage user and group - accounts as well as domain member server and client accounts. This level of privilege is also needed to manage - share-level ACLs. - </p></div></div><div class="sect2" title="Default Users, Groups, and Relative Identifiers"><div class="titlepage"><div><div><h3 class="title"><a name="id366491"></a>Default Users, Groups, and Relative Identifiers</h3></div></div></div><p> - <a class="indexterm" name="id366499"></a> - <a class="indexterm" name="id366508"></a> -<a class="indexterm" name="id366514"></a> -<a class="indexterm" name="id366521"></a> -<a class="indexterm" name="id366528"></a> -<a class="indexterm" name="id366535"></a> -<a class="indexterm" name="id366542"></a> -<a class="indexterm" name="id366548"></a> - When first installed, Windows NT4/200x/XP are preconfigured with certain user, group, and - alias entities. Each has a well-known RID. These must be preserved for continued - integrity of operation. Samba must be provisioned with certain essential domain groups that require - the appropriate RID value. When Samba-3 is configured to use <code class="constant">tdbsam</code>, the essential - domain groups are automatically created. It is the LDAP administrator's responsibility to create - (provision) the default NT groups. - </p><p> -<a class="indexterm" name="id366566"></a> -<a class="indexterm" name="id366573"></a> -<a class="indexterm" name="id366580"></a> -<a class="indexterm" name="id366587"></a> - Each essential domain group must be assigned its respective well-known RID. The default users, groups, - aliases, and RIDs are shown in <a class="link" href="groupmapping.html#WKURIDS" title="Table 12.1. Well-Known User Default RIDs">Well-Known User Default RIDs</a>. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id366607"></a> -<a class="indexterm" name="id366613"></a> -<a class="indexterm" name="id366620"></a> -<a class="indexterm" name="id366627"></a> -<a class="indexterm" name="id366634"></a> - It is the administrator's responsibility to create the essential domain groups and to assign each - its default RID. - </p></div><p> -<a class="indexterm" name="id366644"></a> -<a class="indexterm" name="id366651"></a> - It is permissible to create any domain group that may be necessary; just make certain that the essential - domain groups (well known) have been created and assigned their default RIDs. Other groups you create may - be assigned any arbitrary RID you care to use. - </p><p> - Be sure to map each domain group to a UNIX system group. That is the only way to ensure that the group - will be available for use as an NT domain group. - </p><p> - </p><div class="table"><a name="WKURIDS"></a><p class="title"><b>Table 12.1. Well-Known User Default RIDs</b></p><div class="table-contents"><table summary="Well-Known User Default RIDs" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Well-Known Entity</th><th align="left">RID</th><th align="left">Type</th><th align="center">Essential</th></tr></thead><tbody><tr><td align="left">Domain Administrator</td><td align="left">500</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Guest</td><td align="left">501</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain KRBTGT</td><td align="left">502</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Admins</td><td align="left">512</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Users</td><td align="left">513</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Guests</td><td align="left">514</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Computers</td><td align="left">515</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Controllers</td><td align="left">516</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Certificate Admins</td><td align="left">517</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Schema Admins</td><td align="left">518</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Enterprise Admins</td><td align="left">519</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Policy Admins</td><td align="left">520</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Builtin Admins</td><td align="left">544</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin users</td><td align="left">545</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Guests</td><td align="left">546</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Power Users</td><td align="left">547</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Account Operators</td><td align="left">548</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin System Operators</td><td align="left">549</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Print Operators</td><td align="left">550</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Backup Operators</td><td align="left">551</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Replicator</td><td align="left">552</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin RAS Servers</td><td align="left">553</td><td align="left">Alias</td><td align="center">No</td></tr></tbody></table></div></div><p><br class="table-break"> - </p></div><div class="sect2" title="Example Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id367100"></a>Example Configuration</h3></div></div></div><p> -<a class="indexterm" name="id367108"></a> - You can list the various groups in the mapping database by executing - <code class="literal">net groupmap list</code>. Here is an example: - </p><p> -<a class="indexterm" name="id367129"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> <strong class="userinput"><code>net groupmap list</code></strong> -Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin -Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser -Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest -</pre><p> - </p><p> - For complete details on <code class="literal">net groupmap</code>, refer to the net(8) man page. - </p></div></div><div class="sect1" title="Configuration Scripts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367172"></a>Configuration Scripts</h2></div></div></div><p> - Everyone needs tools. Some of us like to create our own, others prefer to use canned tools - (i.e., prepared by someone else for general use). - </p><div class="sect2" title="Sample smb.conf Add Group Script"><div class="titlepage"><div><div><h3 class="title"><a name="id367182"></a>Sample <code class="filename">smb.conf</code> Add Group Script</h3></div></div></div><p> - <a class="indexterm" name="id367196"></a> - <a class="indexterm" name="id367202"></a> - <a class="indexterm" name="id367209"></a> -<a class="indexterm" name="id367216"></a> -<a class="indexterm" name="id367223"></a> - A script to create complying group names for use by the Samba group interfaces - is provided in <a class="link" href="groupmapping.html#smbgrpadd.sh" title="Example 12.1. smbgrpadd.sh">smbgrpadd.sh</a>. This script - adds a temporary entry in the <code class="filename">/etc/group</code> file and then renames - it to the desired name. This is an example of a method to get around operating - system maintenance tool limitations such as those present in some version of the - <code class="literal">groupadd</code> tool. -</p><div class="example"><a name="smbgrpadd.sh"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><div class="example-contents"><pre class="programlisting"> -#!/bin/bash - -# Add the group using normal system groupadd tool. -groupadd smbtmpgrp00 - -thegid=`cat /etc/group | grep ^smbtmpgrp00 | cut -d ":" -f3` - -# Now change the name to what we want for the MS Windows networking end -cp /etc/group /etc/group.bak -cat /etc/group.bak | sed "s/^smbtmpgrp00/$1/g" > /etc/group -rm /etc/group.bak - -# Now return the GID as would normally happen. -echo $thegid -exit 0 -</pre></div></div><p><br class="example-break"> -</p><p> - The <code class="filename">smb.conf</code> entry for the above script shown in <a class="link" href="groupmapping.html#smbgrpadd" title="Example 12.2. Configuration of smb.conf for the add group Script">the configuration of - <code class="filename">smb.conf</code> for the add group Script</a> demonstrates how it may be used. - -</p><div class="example"><a name="smbgrpadd"></a><p class="title"><b>Example 12.2. Configuration of <code class="filename">smb.conf</code> for the add group Script</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id367327"></a><em class="parameter"><code>add group script = /path_to_tool/smbgrpadd.sh "%g"</code></em></td></tr></table></div></div><p><br class="example-break"> - </p></div><div class="sect2" title="Script to Configure Group Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id367342"></a>Script to Configure Group Mapping</h3></div></div></div><p> -<a class="indexterm" name="id367350"></a> - In our example we have created a UNIX/Linux group called <code class="literal">ntadmin</code>. - Our script will create the additional groups <code class="literal">Orks</code>, <code class="literal">Elves</code>, and <code class="literal">Gnomes</code>. - It is a good idea to save this shell script for later use just in case you ever need to rebuild your mapping database. - For the sake of convenience we elect to save this script as a file called <code class="filename">initGroups.sh</code>. - This script is given in <a class="link" href="groupmapping.html#set-group-map" title="Example 12.3. Script to Set Group Mapping">intGroups.sh</a>. -<a class="indexterm" name="id367397"></a> -</p><div class="example"><a name="set-group-map"></a><p class="title"><b>Example 12.3. Script to Set Group Mapping</b></p><div class="example-contents"><pre class="programlisting"> -#!/bin/bash - -net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512 type=d -net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d -net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d - -groupadd Orks -groupadd Elves -groupadd Gnomes - -net groupmap add ntgroup="Orks" unixgroup=Orks type=d -net groupmap add ntgroup="Elves" unixgroup=Elves type=d -net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d -</pre></div></div><p><br class="example-break"> - </p><p> - Of course it is expected that the administrator will modify this to suit local needs. - For information regarding the use of the <code class="literal">net groupmap</code> tool please - refer to the man page. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Versions of Samba-3 prior to 3.0.23 automatically create default group mapping for the - <code class="literal">Domain Admins, Domain Users</code> and <code class="literal">Domain Guests</code> Windows - groups, but do not map them to UNIX GIDs. This was a cause of administrative confusion and - trouble. Commencing with Samba-3.0.23 this anomaly has been fixed - thus all Windows groups - must now be manually and explicitly created and mapped to a valid UNIX GID by the Samba - administrator. - </p></div></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367456"></a>Common Errors</h2></div></div></div><p> -At this time there are many little surprises for the unwary administrator. In a real sense -it is imperative that every step of automated control scripts be carefully tested -manually before putting it into active service. -</p><div class="sect2" title="Adding Groups Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id367467"></a>Adding Groups Fails</h3></div></div></div><p> -<a class="indexterm" name="id367475"></a> - This is a common problem when the <code class="literal">groupadd</code> is called directly - by the Samba interface script for the <a class="link" href="smb.conf.5.html#ADDGROUPSCRIPT" target="_top">add group script</a> in - the <code class="filename">smb.conf</code> file. - </p><p> -<a class="indexterm" name="id367510"></a> -<a class="indexterm" name="id367517"></a> - The most common cause of failure is an attempt to add an MS Windows group account - that has an uppercase character and/or a space character in it. - </p><p> -<a class="indexterm" name="id367528"></a> - There are three possible workarounds. First, use only group names that comply - with the limitations of the UNIX/Linux <code class="literal">groupadd</code> system tool. - Second, it involves the use of the script mentioned earlier in this chapter, and - third is the option is to manually create a UNIX/Linux group account that can substitute - for the MS Windows group name, then use the procedure listed above to map that group - to the MS Windows group. - </p></div><div class="sect2" title="Adding Domain Users to the Workstation Power Users Group"><div class="titlepage"><div><div><h3 class="title"><a name="id367547"></a>Adding Domain Users to the Workstation Power Users Group</h3></div></div></div><p><span class="quote">“<span class="quote"> - What must I do to add domain users to the Power Users group? - </span>”</span></p><p> -<a class="indexterm" name="id367560"></a> - The Power Users group is a group that is local to each Windows 200x/XP Professional workstation. - You cannot add the Domain Users group to the Power Users group automatically, it must be done on - each workstation by logging in as the local workstation <span class="emphasis"><em>administrator</em></span> and - then using the following procedure: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Click <span class="guimenu">Start -> Control Panel -> Users and Passwords</span>. - </p></li><li class="step" title="Step 2"><p> - Click the <span class="guimenuitem">Advanced</span> tab. - </p></li><li class="step" title="Step 3"><p> - Click the <span class="guibutton">Advanced</span> button. - </p></li><li class="step" title="Step 4"><p> - Click <code class="constant">Groups</code>. - </p></li><li class="step" title="Step 5"><p> - Double-click <code class="constant">Power Users</code>. This will launch the panel to add users or groups - to the local machine <code class="constant">Power Users</code> group. - </p></li><li class="step" title="Step 6"><p> - Click the <span class="guibutton">Add</span> button. - </p></li><li class="step" title="Step 7"><p> - Select the domain from which the <code class="constant">Domain Users</code> group is to be added. - </p></li><li class="step" title="Step 8"><p> - Double-click the <code class="constant">Domain Users</code> group. - </p></li><li class="step" title="Step 9"><p> - Click the <span class="guibutton">OK</span> button. If a logon box is presented during this process, - please remember to enter the connect as <code class="constant">DOMAIN\UserName</code>, that is, for the - domain <code class="constant">MIDEARTH</code> and the user <code class="constant">root</code> enter - <code class="constant">MIDEARTH\root</code>. - </p></li></ol></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NetCommand.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Remote and Local Management: The Net Command</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/idmapper.html b/docs/htmldocs/Samba3-HOWTO/idmapper.html deleted file mode 100644 index 9e520ed1d2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/idmapper.html +++ /dev/null @@ -1,731 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Identity Mapping (IDMAP)</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"><link rel="next" href="rights.html" title="Chapter 15. User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 14. Identity Mapping (IDMAP)"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter 14. Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id372830">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id372854">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id373803">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id374021">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id374087">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id374148">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id374842">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id372576"></a> -<a class="indexterm" name="id372582"></a> -<a class="indexterm" name="id372589"></a> -<a class="indexterm" name="id372596"></a> -<a class="indexterm" name="id372605"></a> -<a class="indexterm" name="id372612"></a> -<a class="indexterm" name="id372618"></a> -The Microsoft Windows operating system has a number of features that impose specific challenges -to interoperability with the operating systems on which Samba is implemented. This chapter deals -explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the -key challenges in the integration of Samba servers into an MS Windows networking environment. -This chapter deals with identity mapping (IDMAP) of Windows security identifiers (SIDs) -to UNIX UIDs and GIDs. -</p><p> -To ensure sufficient coverage, each possible Samba deployment type is discussed. -This is followed by an overview of how the IDMAP facility may be implemented. -</p><p> -<a class="indexterm" name="id372637"></a> -<a class="indexterm" name="id372644"></a> -<a class="indexterm" name="id372650"></a> -<a class="indexterm" name="id372657"></a> -The IDMAP facility is of concern where more than one Samba server (or Samba network client) -is installed in a domain. Where there is a single Samba server, do not be too concerned regarding -the IDMAP infrastructure the default behavior of Samba is nearly always sufficient. -Where multiple Samba servers are used it is often necessary to move data off one server and onto -another, and that is where the fun begins! -</p><p> -<a class="indexterm" name="id372674"></a> -<a class="indexterm" name="id372680"></a> -<a class="indexterm" name="id372686"></a> -<a class="indexterm" name="id372693"></a> -<a class="indexterm" name="id372700"></a> -<a class="indexterm" name="id372707"></a> -<a class="indexterm" name="id372713"></a> -<a class="indexterm" name="id372720"></a> -Where user and group account information is stored in an LDAP directory every server can have the same -consistent UID and GID for users and groups. This is achieved using NSS and the nss_ldap tool. Samba -can be configured to use only local accounts, in which case the scope of the IDMAP problem is somewhat -reduced. This works reasonably well if the servers belong to a single domain, and interdomain trusts -are not needed. On the other hand, if the Samba servers are NT4 domain members, or ADS domain members, -or if there is a need to keep the security name-space separate (i.e., the user -<code class="literal">DOMINICUS\FJones</code> must not be given access to the account resources of the user -<code class="literal">FRANCISCUS\FJones</code><sup>[<a name="id372743" href="#ftn.id372743" class="footnote">4</a>]</sup> free from inadvertent cross-over, close attention should be given -to the way that the IDMAP facility is configured. -</p><p> -<a class="indexterm" name="id372770"></a> -<a class="indexterm" name="id372777"></a> -<a class="indexterm" name="id372784"></a> -<a class="indexterm" name="id372790"></a> -<a class="indexterm" name="id372797"></a> -<a class="indexterm" name="id372803"></a> -The use of IDMAP is important where the Samba server will be accessed by workstations or servers from -more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) -of foreign SIDs to local UNIX UIDs and GIDs. -</p><p> -<a class="indexterm" name="id372816"></a> -The use of the IDMAP facility requires the execution of the <code class="literal">winbindd</code> upon Samba startup. -</p><div class="sect1" title="Samba Server Deployment Types and IDMAP"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id372830"></a>Samba Server Deployment Types and IDMAP</h2></div></div></div><p> -<a class="indexterm" name="id372838"></a> -There are four basic server deployment types, as documented in <a class="link" href="ServerType.html" title="Chapter 3. Server Types and Security Modes">the chapter -on Server Types and Security Modes</a>. -</p><div class="sect2" title="Standalone Samba Server"><div class="titlepage"><div><div><h3 class="title"><a name="id372854"></a>Standalone Samba Server</h3></div></div></div><p> - <a class="indexterm" name="id372861"></a> - <a class="indexterm" name="id372868"></a> - <a class="indexterm" name="id372875"></a> - A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, - a Windows 200X Active Directory domain, or a Samba domain. - </p><p> - <a class="indexterm" name="id372886"></a> - <a class="indexterm" name="id372893"></a> - <a class="indexterm" name="id372900"></a> - By definition, this means that users and groups will be created and controlled locally, and - the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility - is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility - will not be relevant or of interest. - </p></div><div class="sect2" title="Domain Member Server or Domain Member Client"><div class="titlepage"><div><div><h3 class="title"><a name="id372912"></a>Domain Member Server or Domain Member Client</h3></div></div></div><p> - <a class="indexterm" name="id372920"></a> - <a class="indexterm" name="id372926"></a> - <a class="indexterm" name="id372933"></a> - <a class="indexterm" name="id372940"></a> - <a class="indexterm" name="id372946"></a> - Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that - are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with - all versions of MS Windows products. Windows NT4, as with MS Active Directory, - extensively makes use of Windows SIDs. - </p><p> - <a class="indexterm" name="id372959"></a> - <a class="indexterm" name="id372966"></a> - <a class="indexterm" name="id372972"></a> - Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming - Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba - server must provide to MS Windows clients and servers appropriate SIDs. - </p><p> - <a class="indexterm" name="id372984"></a> - <a class="indexterm" name="id372991"></a> - A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle - identity mapping in a variety of ways. The mechanism it uses depends on whether or not - the <code class="literal">winbindd</code> daemon is used and how the winbind functionality is configured. - The configuration options are briefly described here: - </p><div class="variablelist"><dl><dt><span class="term">Winbind is not used; users and groups are local: </span></dt><dd><p> - <a class="indexterm" name="id373018"></a> - <a class="indexterm" name="id373025"></a> - <a class="indexterm" name="id373032"></a> - <a class="indexterm" name="id373039"></a> - <a class="indexterm" name="id373046"></a> - <a class="indexterm" name="id373052"></a> - <a class="indexterm" name="id373059"></a> - <a class="indexterm" name="id373066"></a> - <a class="indexterm" name="id373073"></a> - <a class="indexterm" name="id373079"></a> - <a class="indexterm" name="id373086"></a> - Where <code class="literal">winbindd</code> is not used Samba (<code class="literal">smbd</code>) - uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming - network traffic. This is done using the LoginID (account name) in the - session setup request and passing it to the getpwnam() system function call. - This call is implemented using the name service switch (NSS) mechanism on - modern UNIX/Linux systems. By saying "users and groups are local," - we are implying that they are stored only on the local system, in the - <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> respectively. - </p><p> - <a class="indexterm" name="id373124"></a> - <a class="indexterm" name="id373131"></a> - For example, when the user <code class="literal">BERYLIUM\WambatW</code> tries to open a - connection to a Samba server the incoming SessionSetupAndX request will make a - system call to look up the user <code class="literal">WambatW</code> in the - <code class="filename">/etc/passwd</code> file. - </p><p> - <a class="indexterm" name="id373160"></a> - <a class="indexterm" name="id373167"></a> - <a class="indexterm" name="id373174"></a> - <a class="indexterm" name="id373181"></a> - <a class="indexterm" name="id373187"></a> - <a class="indexterm" name="id373194"></a> - <a class="indexterm" name="id373200"></a> - <a class="indexterm" name="id373207"></a> - This configuration may be used with standalone Samba servers, domain member - servers (NT4 or ADS), and for a PDC that uses either an smbpasswd - or a tdbsam-based Samba passdb backend. - </p></dd><dt><span class="term">Winbind is not used; users and groups resolved via NSS: </span></dt><dd><p> - <a class="indexterm" name="id373228"></a> - <a class="indexterm" name="id373235"></a> - <a class="indexterm" name="id373242"></a> - <a class="indexterm" name="id373249"></a> - <a class="indexterm" name="id373255"></a> - <a class="indexterm" name="id373262"></a> - In this situation user and group accounts are treated as if they are local - accounts. The only way in which this differs from having local accounts is - that the accounts are stored in a repository that can be shared. In practice - this means that they will reside in either an NIS-type database or else in LDAP. - </p><p> - <a class="indexterm" name="id373275"></a> - <a class="indexterm" name="id373282"></a> - <a class="indexterm" name="id373288"></a> - <a class="indexterm" name="id373295"></a> - <a class="indexterm" name="id373302"></a> - <a class="indexterm" name="id373308"></a> - <a class="indexterm" name="id373315"></a> - This configuration may be used with standalone Samba servers, domain member - servers (NT4 or ADS), and for a PDC that uses either an smbpasswd - or a tdbsam-based Samba passdb backend. - </p></dd><dt><span class="term">Winbind/NSS with the default local IDMAP table: </span></dt><dd><p> - <a class="indexterm" name="id373336"></a> - <a class="indexterm" name="id373342"></a> - <a class="indexterm" name="id373349"></a> - <a class="indexterm" name="id373356"></a> - There are many sites that require only a simple Samba server or a single Samba - server that is a member of a Windows NT4 domain or an ADS domain. A typical example - is an appliance like file server on which no local accounts are configured and - winbind is used to obtain account credentials from the domain controllers for the - domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows - Active Directory. - </p><p> - <a class="indexterm" name="id373370"></a> - <a class="indexterm" name="id373377"></a> - <a class="indexterm" name="id373384"></a> - <a class="indexterm" name="id373390"></a> - <a class="indexterm" name="id373397"></a> - Winbind is a great convenience in this situation. All that is needed is a range of - UID numbers and GID numbers that can be defined in the <code class="filename">smb.conf</code> file. The - <code class="filename">/etc/nsswitch.conf</code> file is configured to use <code class="literal">winbind</code>, - which does all the difficult work of mapping incoming SIDs to appropriate UIDs and GIDs. - The SIDs are allocated a UID/GID in the order in which winbind receives them. - </p><p> - <a class="indexterm" name="id373428"></a> - <a class="indexterm" name="id373434"></a> - <a class="indexterm" name="id373441"></a> - <a class="indexterm" name="id373448"></a> - This configuration is not convenient or practical in sites that have more than one - Samba server and that require the same UID or GID for the same user or group across - all servers. One of the hazards of this method is that in the event that the winbind - IDMAP file becomes corrupted or lost, the repaired or rebuilt IDMAP file may allocate - UIDs and GIDs to different users and groups from what was there previously with the - result that MS Windows files that are stored on the Samba server may now not belong to - the rightful owners. - </p></dd><dt><span class="term">Winbind/NSS uses RID based IDMAP: </span></dt><dd><p> - <a class="indexterm" name="id373471"></a> - <a class="indexterm" name="id373478"></a> - <a class="indexterm" name="id373485"></a> - <a class="indexterm" name="id373491"></a> - The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier - for a number of sites that are committed to use of MS ADS, that do not apply - an ADS schema extension, and that do not have an installed an LDAP directory server just for - the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of - domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the - IDMAP table problem, then IDMAP_RID is an obvious choice. - </p><p> - <a class="indexterm" name="id373506"></a> - <a class="indexterm" name="id373513"></a> - <a class="indexterm" name="id373519"></a> - <a class="indexterm" name="id373526"></a> - <a class="indexterm" name="id373533"></a> - <a class="indexterm" name="id373539"></a> - <a class="indexterm" name="id373546"></a> - <a class="indexterm" name="id373553"></a> - This facility requires the allocation of the <em class="parameter"><code>idmap uid</code></em> and the - <em class="parameter"><code>idmap gid</code></em> ranges, and within the <em class="parameter"><code>idmap uid</code></em> - it is possible to allocate a subset of this range for automatic mapping of the relative - identifier (RID) portion of the SID directly to the base of the UID plus the RID value. - For example, if the <em class="parameter"><code>idmap uid</code></em> range is <code class="constant">1000-100000000</code> - and the <em class="parameter"><code>idmap backend = idmap_rid:DOMAIN_NAME=1000-50000000</code></em>, and - a SID is encountered that has the value <code class="constant">S-1-5-21-34567898-12529001-32973135-1234</code>, - the resulting UID will be <code class="constant">1000 + 1234 = 2234</code>. - </p></dd><dt><span class="term">Winbind with an NSS/LDAP backend-based IDMAP facility: </span></dt><dd><p> - <a class="indexterm" name="id373616"></a> - <a class="indexterm" name="id373623"></a> - <a class="indexterm" name="id373630"></a> - <a class="indexterm" name="id373636"></a> - <a class="indexterm" name="id373643"></a> - <a class="indexterm" name="id373649"></a> - <a class="indexterm" name="id373656"></a> - <a class="indexterm" name="id373663"></a> - In this configuration <code class="literal">winbind</code> resolved SIDs to UIDs and GIDs from - the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> ranges specified - in the <code class="filename">smb.conf</code> file, but instead of using a local winbind IDMAP table, it is stored - in an LDAP directory so that all domain member machines (clients and servers) can share - a common IDMAP table. - </p><p> - <a class="indexterm" name="id373699"></a> - <a class="indexterm" name="id373706"></a> - <a class="indexterm" name="id373713"></a> - It is important that all LDAP IDMAP clients use only the master LDAP server because the - <em class="parameter"><code>idmap backend</code></em> facility in the <code class="filename">smb.conf</code> file does not correctly - handle LDAP redirects. - </p></dd><dt><span class="term">Winbind with NSS to resolve UNIX/Linux user and group IDs: </span></dt><dd><p> - The use of LDAP as the passdb backend is a smart solution for PDC, BDC, and - domain member servers. It is a neat method for assuring that UIDs, GIDs, and the matching - SIDs are consistent across all servers. - </p><p> - <a class="indexterm" name="id373750"></a> - <a class="indexterm" name="id373757"></a> - The use of the LDAP-based passdb backend requires use of the PADL nss_ldap utility or - an equivalent. In this situation winbind is used to handle foreign SIDs, that is, SIDs from - standalone Windows clients (i.e., not a member of our domain) as well as SIDs from - another domain. The foreign UID/GID is mapped from allocated ranges (idmap uid and idmap gid) - in precisely the same manner as when using winbind with a local IDMAP table. - </p><p> - <a class="indexterm" name="id373771"></a> - <a class="indexterm" name="id373778"></a> - <a class="indexterm" name="id373785"></a> - The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active - Directory. In order to use Active Directory, it is necessary to modify the ADS schema by - installing either the AD4UNIX schema extension or using the Microsoft Services for UNIX - version 3.5 or later to extend the ADS schema so it maintains UNIX account credentials. - Where the ADS schema is extended, a Microsoft Management Console (MMC) snap-in is also - installed to permit the UNIX credentials to be set and managed from the ADS User and Computer - Management tool. Each account must be separately UNIX-enabled before the UID and GID data can - be used by Samba. - </p></dd></dl></div></div><div class="sect2" title="Primary Domain Controller"><div class="titlepage"><div><div><h3 class="title"><a name="id373803"></a>Primary Domain Controller</h3></div></div></div><p> - <a class="indexterm" name="id373810"></a> - <a class="indexterm" name="id373817"></a> - <a class="indexterm" name="id373824"></a> - <a class="indexterm" name="id373830"></a> - Microsoft Windows domain security systems generate the user and group SID as part - of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID; rather, - it has its own type of security descriptor. When Samba is used as a domain controller, it provides a method - of producing a unique SID for each user and group. Samba generates a machine and a domain SID to which it - adds an RID that is calculated algorithmically from a base value that can be specified - in the <code class="filename">smb.conf</code> file, plus twice (2x) the UID or GID. This method is called <span class="quote">“<span class="quote">algorithmic mapping</span>”</span>. - </p><p> - <a class="indexterm" name="id373855"></a> - For example, if a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will - be <code class="literal">1000 + (2 x 4321) = 9642</code>. Thus, if the domain SID is - <code class="literal">S-1-5-21-89238497-92787123-12341112</code>, the resulting SID is - <code class="literal">S-1-5-21-89238497-92787123-12341112-9642</code>. - </p><p> - <a class="indexterm" name="id373884"></a> - <a class="indexterm" name="id373891"></a> - <a class="indexterm" name="id373898"></a> - <a class="indexterm" name="id373904"></a> - The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly - (as is the case when using a <em class="parameter"><code>passdb backend = [tdbsam | smbpasswd]</code></em>), or may be stored - as a permanent part of an account in an LDAP-based ldapsam. - </p><p> - <a class="indexterm" name="id373922"></a> - <a class="indexterm" name="id373929"></a> - <a class="indexterm" name="id373936"></a> - <a class="indexterm" name="id373942"></a> - <a class="indexterm" name="id373949"></a> - <a class="indexterm" name="id373956"></a> - <a class="indexterm" name="id373962"></a> - <a class="indexterm" name="id373969"></a> - <a class="indexterm" name="id373976"></a> - ADS uses a directory schema that can be extended to accommodate additional - account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand - the normal ADS schema to include UNIX account attributes. These must of course be managed separately - through a snap-in module to the normal ADS account management MMC interface. - </p><p> - <a class="indexterm" name="id373989"></a> - <a class="indexterm" name="id373995"></a> - <a class="indexterm" name="id374002"></a> - <a class="indexterm" name="id374009"></a> - Security identifiers used within a domain must be managed to avoid conflict and to preserve integrity. - In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup - domain controllers (BDCs). At this time the only passdb backend for a Samba domain controller that is suitable - for such information is an LDAP backend. - </p></div><div class="sect2" title="Backup Domain Controller"><div class="titlepage"><div><div><h3 class="title"><a name="id374021"></a>Backup Domain Controller</h3></div></div></div><p> - <a class="indexterm" name="id374029"></a> - <a class="indexterm" name="id374035"></a> - <a class="indexterm" name="id374042"></a> - <a class="indexterm" name="id374049"></a> - <a class="indexterm" name="id374056"></a> - <a class="indexterm" name="id374062"></a> - <a class="indexterm" name="id374069"></a> - BDCs have read-only access to security credentials that are stored in LDAP. - Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write - changes to the directory. - </p><p> - IDMAP information can be written directly to the LDAP server so long as all domain controllers - have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects - in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with - the IDMAP facility. - </p></div></div><div class="sect1" title="Examples of IDMAP Backend Usage"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id374087"></a>Examples of IDMAP Backend Usage</h2></div></div></div><p> -<a class="indexterm" name="id374095"></a> -<a class="indexterm" name="id374104"></a> -<a class="indexterm" name="id374113"></a> -<a class="indexterm" name="id374120"></a> -<a class="indexterm" name="id374126"></a> -Anyone who wishes to use <code class="literal">winbind</code> will find the following example configurations helpful. -Remember that in the majority of cases <code class="literal">winbind</code> is of primary interest for use with -domain member servers (DMSs) and domain member clients (DMCs). -</p><div class="sect2" title="Default Winbind TDB"><div class="titlepage"><div><div><h3 class="title"><a name="id374148"></a>Default Winbind TDB</h3></div></div></div><p> - Two common configurations are used: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Networks that have an NT4 PDC (with or without BDCs) or a Samba PDC (with or without BDCs). - </p></li><li class="listitem"><p> - Networks that use MS Windows 200x ADS. - </p></li></ul></div><div class="sect3" title="NT4-Style Domains (Includes Samba Domains)"><div class="titlepage"><div><div><h4 class="title"><a name="id374170"></a>NT4-Style Domains (Includes Samba Domains)</h4></div></div></div><p> - <a class="link" href="idmapper.html#idmapnt4dms" title="Example 14.1. NT4 Domain Member Server smb.conf">NT4 Domain Member Server smb.con</a> is a simple example of an NT4 DMS - <code class="filename">smb.conf</code> file that shows only the global section. - </p><div class="example"><a name="idmapnt4dms"></a><p class="title"><b>Example 14.1. NT4 Domain Member Server smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id374222"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id374233"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id374244"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id374256"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id374267"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id374279"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id374294"></a> - <a class="indexterm" name="id374301"></a> - The use of <code class="literal">winbind</code> requires configuration of NSS. Edit the <code class="filename">/etc/nsswitch.conf</code> - so it includes the following entries: -</p><pre class="screen"> -... -passwd: files winbind -shadow: files winbind -group: files winbind -... -hosts: files [dns] wins -... -</pre><p> - The use of DNS in the hosts entry should be made only if DNS is used on site. - </p><p> - The creation of the DMS requires the following steps: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Create or install an <code class="filename">smb.conf</code> file with the above configuration. - </p></li><li class="step" title="Step 2"><p> - Execute: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc join -UAdministrator%password -Joined domain MEGANET2. -</pre><p> - <a class="indexterm" name="id374365"></a> - The success of the join can be confirmed with the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc testjoin -Join to 'MIDEARTH' is OK -</pre><p> - A failed join would report an error message like the following: - <a class="indexterm" name="id374385"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc testjoin -[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66) -Join to domain 'MEGANET2' is not valid -</pre><p> - </p></li><li class="step" title="Step 3"><p> - <a class="indexterm" name="id374411"></a> - <a class="indexterm" name="id374418"></a> - <a class="indexterm" name="id374424"></a> - Start the <code class="literal">nmbd, winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. - </p></li></ol></div></div><div class="sect3" title="ADS Domains"><div class="titlepage"><div><div><h4 class="title"><a name="id374447"></a>ADS Domains</h4></div></div></div><p> - <a class="indexterm" name="id374455"></a> - <a class="indexterm" name="id374461"></a> - The procedure for joining an ADS domain is similar to the NT4 domain join, except the <code class="filename">smb.conf</code> file - will have the contents shown in <a class="link" href="idmapper.html#idmapadsdms" title="Example 14.2. ADS Domain Member Server smb.conf">ADS Domain Member Server smb.conf</a> - </p><div class="example"><a name="idmapadsdms"></a><p class="title"><b>Example 14.2. ADS Domain Member Server smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id374511"></a><em class="parameter"><code>workgroup = BUTTERNET</code></em></td></tr><tr><td><a class="indexterm" name="id374523"></a><em class="parameter"><code>netbios name = GARGOYLE</code></em></td></tr><tr><td><a class="indexterm" name="id374534"></a><em class="parameter"><code>realm = BUTTERNET.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id374546"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id374557"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id374569"></a><em class="parameter"><code>idmap uid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id374580"></a><em class="parameter"><code>idmap gid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id374592"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374604"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374615"></a><em class="parameter"><code>printer admin = "BUTTERNET\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id374630"></a> - <a class="indexterm" name="id374637"></a> - <a class="indexterm" name="id374644"></a> - <a class="indexterm" name="id374651"></a> - <a class="indexterm" name="id374657"></a> - <a class="indexterm" name="id374664"></a> - <a class="indexterm" name="id374671"></a> - ADS DMS operation requires use of kerberos (KRB). For this to work, the <code class="filename">krb5.conf</code> - must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being - used. It is sound advice to use only the latest version, which at this time are MIT Kerberos version - 1.3.5 and Heimdal 0.61. - </p><p> - The creation of the DMS requires the following steps: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Create or install an <code class="filename">smb.conf</code> file with the above configuration. - </p></li><li class="step" title="Step 2"><p> - Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. - </p></li><li class="step" title="Step 3"><p> - Execute: - <a class="indexterm" name="id374725"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net ads join -UAdministrator%password -Joined domain BUTTERNET. -</pre><p> - The success or failure of the join can be confirmed with the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> net ads testjoin -Using short domain name -- BUTTERNET -Joined 'GARGOYLE' to realm 'BUTTERNET.BIZ' -</pre><p> - </p><p> - An invalid or failed join can be detected by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> net ads testjoin -GARGOYLE$@'s password: -[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) - ads_connect: No results returned -Join to domain is not valid -</pre><p> - <a class="indexterm" name="id374778"></a> - <a class="indexterm" name="id374784"></a> - <a class="indexterm" name="id374791"></a> - <a class="indexterm" name="id374798"></a> - The specific error message may differ from the above because it depends on the type of failure that - may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, - and then examine the log files produced to identify the nature of the failure. - </p></li><li class="step" title="Step 4"><p> - Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. - </p></li></ol></div></div></div><div class="sect2" title="IDMAP_RID with Winbind"><div class="titlepage"><div><div><h3 class="title"><a name="id374842"></a>IDMAP_RID with Winbind</h3></div></div></div><p> - <a class="indexterm" name="id374850"></a> - <a class="indexterm" name="id374856"></a> - <a class="indexterm" name="id374863"></a> - <a class="indexterm" name="id374869"></a> - The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a - predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method - of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data - in a central place. The downside is that it can be used only within a single ADS domain and - is not compatible with trusted domain implementations. - </p><p> - <a class="indexterm" name="id374889"></a> - <a class="indexterm" name="id374895"></a> - <a class="indexterm" name="id374902"></a> - <a class="indexterm" name="id374909"></a> - This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid - plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the - RID to a base value specified. This utility requires that the parameter - <span class="quote">“<span class="quote">allow trusted domains = No</span>”</span> be specified, as it is not compatible - with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and - <em class="parameter"><code>idmap gid</code></em> ranges must be specified. - </p><p> - <a class="indexterm" name="id374938"></a> - <a class="indexterm" name="id374945"></a> - The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory. - To use this with an NT4 domain, do not include the <em class="parameter"><code>realm</code></em> parameter; additionally, the - method used to join the domain uses the <code class="constant">net rpc join</code> process. - </p><p> - An example <code class="filename">smb.conf</code> file for and ADS domain environment is shown in <a class="link" href="idmapper.html#idmapadsridDMS" title="Example 14.3. ADS Domain Member smb.conf using idmap_rid">ADS - Domain Member smb.conf using idmap_rid</a>. - </p><div class="example"><a name="idmapadsridDMS"></a><p class="title"><b>Example 14.3. ADS Domain Member smb.conf using idmap_rid</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id375009"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id375020"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id375032"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id375043"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id375055"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id375066"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id375078"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id375090"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id375101"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id375113"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id375125"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id375136"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id375148"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id375159"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id375171"></a><em class="parameter"><code>printer admin = "Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id375186"></a> - <a class="indexterm" name="id375193"></a> - <a class="indexterm" name="id375199"></a> - <a class="indexterm" name="id375206"></a> - In a large domain with many users it is imperative to disable enumeration of users and groups. - For example, at a site that has 22,000 users in Active Directory the winbind-based user and - group resolution is unavailable for nearly 12 minutes following first startup of - <code class="literal">winbind</code>. Disabling enumeration resulted in instantaneous response. - The disabling of user and group enumeration means that it will not be possible to list users - or groups using the <code class="literal">getent passwd</code> and <code class="literal">getent group</code> - commands. It will be possible to perform the lookup for individual users, as shown in the following procedure. - </p><p> - <a class="indexterm" name="id375239"></a> - <a class="indexterm" name="id375245"></a> - The use of this tool requires configuration of NSS as per the native use of winbind. Edit the - <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: -</p><pre class="screen"> -... -passwd: files winbind -shadow: files winbind -group: files winbind -... -hosts: files wins -... -</pre><p> - </p><p> - The following procedure can use the idmap_rid facility: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Create or install an <code class="filename">smb.conf</code> file with the above configuration. - </p></li><li class="step" title="Step 2"><p> - Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. - </p></li><li class="step" title="Step 3"><p> - Execute: -</p><pre class="screen"> -<code class="prompt">root# </code> net ads join -UAdministrator%password -Using short domain name -- KPAK -Joined 'BIGJOE' to realm 'CORP.KPAK.COM' -</pre><p> - </p><p> - <a class="indexterm" name="id375320"></a> - An invalid or failed join can be detected by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> net ads testjoin -BIGJOE$@'s password: -[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) - ads_connect: No results returned -Join to domain is not valid -</pre><p> - The specific error message may differ from the above because it depends on the type of failure that - may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, - and then examine the log files produced to identify the nature of the failure. - </p></li><li class="step" title="Step 4"><p> - Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. - </p></li><li class="step" title="Step 5"><p> - Validate the operation of this configuration by executing: - <a class="indexterm" name="id375380"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> getent passwd administrator -administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash -</pre><p> - </p></li></ol></div></div><div class="sect2" title="IDMAP Storage in LDAP Using Winbind"><div class="titlepage"><div><div><h3 class="title"><a name="id375401"></a>IDMAP Storage in LDAP Using Winbind</h3></div></div></div><p> - <a class="indexterm" name="id375409"></a> - <a class="indexterm" name="id375415"></a> - The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and - ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any - standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP - configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, - and so on. - </p><p> - An example is for an ADS domain is shown in <a class="link" href="idmapper.html#idmapldapDMS" title="Example 14.4. ADS Domain Member Server using LDAP">ADS Domain Member Server using - LDAP</a>. - </p><div class="example"><a name="idmapldapDMS"></a><p class="title"><b>Example 14.4. ADS Domain Member Server using LDAP</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id375464"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id375476"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id375487"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id375499"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id375510"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id375522"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id375534"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id375545"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id375557"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id375569"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id375580"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id375592"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id375604"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id375615"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id375630"></a> - In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the - command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates - advanced error-reporting techniques that are documented in <a class="link" href="bugreport.html#dbglvl" title="Debug Levels">Reporting Bugs</a>. - </p><p> - <a class="indexterm" name="id375662"></a> - <a class="indexterm" name="id375669"></a> - <a class="indexterm" name="id375675"></a> - Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> - file so it has the following contents: -</p><pre class="screen"> -[logging] - default = FILE:/var/log/krb5libs.log - kdc = FILE:/var/log/krb5kdc.log - admin_server = FILE:/var/log/kadmind.log - -[libdefaults] - default_realm = SNOWSHOW.COM - dns_lookup_realm = false - dns_lookup_kdc = true - -[appdefaults] - pam = { - debug = false - ticket_lifetime = 36000 - renew_lifetime = 36000 - forwardable = true - krb4_convert = false - } -</pre><p> - </p><p> - Where Heimdal kerberos is installed, edit the <code class="filename">/etc/krb5.conf</code> - file so it is either empty (i.e., no contents) or it has the following contents: -</p><pre class="screen"> -[libdefaults] - default_realm = SNOWSHOW.COM - clockskew = 300 - -[realms] - SNOWSHOW.COM = { - kdc = ADSDC.SHOWSHOW.COM - } - -[domain_realm] - .snowshow.com = SNOWSHOW.COM -</pre><p> - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file. - So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no - need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically. - </p></div><p> - Edit the NSS control file <code class="filename">/etc/nsswitch.conf</code> so it has the following entries: -</p><pre class="screen"> -... -passwd: files ldap -shadow: files ldap -group: files ldap -... -hosts: files wins -... -</pre><p> - </p><p> - <a class="indexterm" name="id375748"></a> - <a class="indexterm" name="id375754"></a> - You will need the <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> - tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has - the information needed. The following is an example of a working file: -</p><pre class="screen"> -host 192.168.2.1 -base dc=snowshow,dc=com -binddn cn=Manager,dc=snowshow,dc=com -bindpw not24get - -pam_password exop - -nss_base_passwd ou=People,dc=snowshow,dc=com?one -nss_base_shadow ou=People,dc=snowshow,dc=com?one -nss_base_group ou=Groups,dc=snowshow,dc=com?one -ssl no -</pre><p> - </p><p> - The following procedure may be followed to effect a working configuration: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> - Configure the <code class="filename">smb.conf</code> file as shown above. - </p></li><li class="step" title="Step 2"><p> - Create the <code class="filename">/etc/krb5.conf</code> file as shown above. - </p></li><li class="step" title="Step 3"><p> - Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above. - </p></li><li class="step" title="Step 4"><p> - Download, build, and install the PADL nss_ldap tool set. Configure the - <code class="filename">/etc/ldap.conf</code> file as shown above. - </p></li><li class="step" title="Step 5"><p> - Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP, - shown in the following LDIF file: -</p><pre class="screen"> -dn: dc=snowshow,dc=com -objectClass: dcObject -objectClass: organization -dc: snowshow -o: The Greatest Snow Show in Singapore. -description: Posix and Samba LDAP Identity Database - -dn: cn=Manager,dc=snowshow,dc=com -objectClass: organizationalRole -cn: Manager -description: Directory Manager - -dn: ou=Idmap,dc=snowshow,dc=com -objectClass: organizationalUnit -ou: idmap -</pre><p> - </p></li><li class="step" title="Step 6"><p> - Execute the command to join the Samba DMS to the ADS domain as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> net ads testjoin -Using short domain name -- SNOWSHOW -Joined 'GOODELF' to realm 'SNOWSHOW.COM' -</pre><p> - </p></li><li class="step" title="Step 7"><p> - Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows: -</p><pre class="screen"> -<code class="prompt">root# </code> smbpasswd -w not24get -</pre><p> - </p></li><li class="step" title="Step 8"><p> - Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. - </p></li></ol></div><p> - <a class="indexterm" name="id375936"></a> - Follow the diagnositic procedures shown earlier in this chapter to identify success or failure of the join. - In many cases a failure is indicated by a silent return to the command prompt with no indication of the - reason for failure. - </p></div><div class="sect2" title="IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension"><div class="titlepage"><div><div><h3 class="title"><a name="id375947"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h3></div></div></div><p> - <a class="indexterm" name="id375955"></a> - <a class="indexterm" name="id375962"></a> - The use of this method is messy. The information provided in the following is for guidance only - and is very definitely not complete. This method does work; it is used in a number of large sites - and has an acceptable level of performance. - </p><p> - An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="idmapper.html#idmaprfc2307" title="Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS">ADS Domain Member Server using -RFC2307bis Schema Extension Date via NSS</a>. - </p><div class="example"><a name="idmaprfc2307"></a><p class="title"><b>Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id376017"></a><em class="parameter"><code>workgroup = BOBBY</code></em></td></tr><tr><td><a class="indexterm" name="id376029"></a><em class="parameter"><code>realm = BOBBY.COM</code></em></td></tr><tr><td><a class="indexterm" name="id376040"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id376052"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id376063"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id376075"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id376087"></a><em class="parameter"><code>winbind cache time = 5</code></em></td></tr><tr><td><a class="indexterm" name="id376098"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id376110"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id376122"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id376136"></a> - The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary - to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the - following: -</p><pre class="screen"> -./configure --enable-rfc2307bis --enable-schema-mapping -make install -</pre><p> - </p><p> - <a class="indexterm" name="id376154"></a> - The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: -</p><pre class="screen"> -... -passwd: files ldap -shadow: files ldap -group: files ldap -... -hosts: files wins -... -</pre><p> - </p><p> - <a class="indexterm" name="id376177"></a> - <a class="indexterm" name="id376184"></a> - The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation - and source code for nss_ldap to specific instructions. - </p><p> - The next step involves preparation of the ADS schema. This is briefly discussed in the remaining - part of this chapter. - </p><div class="sect3" title="IDMAP, Active Directory, and MS Services for UNIX 3.5"><div class="titlepage"><div><div><h4 class="title"><a name="id376203"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h4></div></div></div><p> - <a class="indexterm" name="id376211"></a> - The Microsoft Windows Service for UNIX (SFU) version 3.5 is available for free - <a class="ulink" href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> - from the Microsoft Web site. You will need to download this tool and install it following - Microsoft instructions. - </p></div><div class="sect3" title="IDMAP, Active Directory and AD4UNIX"><div class="titlepage"><div><div><h4 class="title"><a name="id376228"></a>IDMAP, Active Directory and AD4UNIX</h4></div></div></div><p> - Instructions for obtaining and installing the AD4UNIX tool set can be found from the - <a class="ulink" href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> - Geekcomix</a> Web site. - </p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id372743" href="#id372743" class="para">4</a>] </sup>Samba local account mode results in both -<code class="literal">DOMINICUS\FJones</code> and <code class="literal">FRANCISCUS\FJones</code> mapping to the UNIX user -<code class="literal">FJones</code>.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. Remote and Local Management: The Net Command </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. User Rights and Privileges</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/images/10small.png b/docs/htmldocs/Samba3-HOWTO/images/10small.png Binary files differdeleted file mode 100644 index 56a9b0cd67..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/10small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/11small.png b/docs/htmldocs/Samba3-HOWTO/images/11small.png Binary files differdeleted file mode 100644 index 18f5d9e4dd..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/11small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/12small.png b/docs/htmldocs/Samba3-HOWTO/images/12small.png Binary files differdeleted file mode 100644 index 5bdf809c1b..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/12small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/13small.png b/docs/htmldocs/Samba3-HOWTO/images/13small.png Binary files differdeleted file mode 100644 index 536b2fc2c2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/13small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/14small.png b/docs/htmldocs/Samba3-HOWTO/images/14small.png Binary files differdeleted file mode 100644 index 89054249c0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/14small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/1small.png b/docs/htmldocs/Samba3-HOWTO/images/1small.png Binary files differdeleted file mode 100644 index c4905163c9..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/1small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/2small.png b/docs/htmldocs/Samba3-HOWTO/images/2small.png Binary files differdeleted file mode 100644 index 5fd9071349..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/2small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/3small.png b/docs/htmldocs/Samba3-HOWTO/images/3small.png Binary files differdeleted file mode 100644 index 22a39bae52..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/3small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/4small.png b/docs/htmldocs/Samba3-HOWTO/images/4small.png Binary files differdeleted file mode 100644 index 6b7f1b1fd4..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/4small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/5small.png b/docs/htmldocs/Samba3-HOWTO/images/5small.png Binary files differdeleted file mode 100644 index b23e1fc2c7..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/5small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/6small.png b/docs/htmldocs/Samba3-HOWTO/images/6small.png Binary files differdeleted file mode 100644 index 35a646d826..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/6small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/7small.png b/docs/htmldocs/Samba3-HOWTO/images/7small.png Binary files differdeleted file mode 100644 index d182677510..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/7small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/8small.png b/docs/htmldocs/Samba3-HOWTO/images/8small.png Binary files differdeleted file mode 100644 index 08aca66386..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/8small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/9small.png b/docs/htmldocs/Samba3-HOWTO/images/9small.png Binary files differdeleted file mode 100644 index 90c2cde327..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/9small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME001.png b/docs/htmldocs/Samba3-HOWTO/images/WME001.png Binary files differdeleted file mode 100644 index c5db7570bc..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME001.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME002.png b/docs/htmldocs/Samba3-HOWTO/images/WME002.png Binary files differdeleted file mode 100644 index 641f2179a0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME002.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME003.png b/docs/htmldocs/Samba3-HOWTO/images/WME003.png Binary files differdeleted file mode 100644 index 073c58eddd..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME003.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME004.png b/docs/htmldocs/Samba3-HOWTO/images/WME004.png Binary files differdeleted file mode 100644 index 5053adeeec..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME004.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME005.png b/docs/htmldocs/Samba3-HOWTO/images/WME005.png Binary files differdeleted file mode 100644 index 5e4e72e498..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME005.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME006.png b/docs/htmldocs/Samba3-HOWTO/images/WME006.png Binary files differdeleted file mode 100644 index cbd3183696..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME006.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME007.png b/docs/htmldocs/Samba3-HOWTO/images/WME007.png Binary files differdeleted file mode 100644 index e0a113b080..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME007.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME008.png b/docs/htmldocs/Samba3-HOWTO/images/WME008.png Binary files differdeleted file mode 100644 index b03a7853b4..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME008.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME009.png b/docs/htmldocs/Samba3-HOWTO/images/WME009.png Binary files differdeleted file mode 100644 index f851876cee..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME009.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME010.png b/docs/htmldocs/Samba3-HOWTO/images/WME010.png Binary files differdeleted file mode 100644 index 589be02b22..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME010.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME011.png b/docs/htmldocs/Samba3-HOWTO/images/WME011.png Binary files differdeleted file mode 100644 index f15399b4a2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME011.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME012.png b/docs/htmldocs/Samba3-HOWTO/images/WME012.png Binary files differdeleted file mode 100644 index d2e46212f6..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME012.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME013.png b/docs/htmldocs/Samba3-HOWTO/images/WME013.png Binary files differdeleted file mode 100644 index 0f0a70d062..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME013.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WME014.png b/docs/htmldocs/Samba3-HOWTO/images/WME014.png Binary files differdeleted file mode 100644 index 73f1dde37c..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WME014.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP002.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP002.png Binary files differdeleted file mode 100644 index b87001bca4..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WXPP002.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP003.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP003.png Binary files differdeleted file mode 100644 index a60d6c413a..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WXPP003.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP005.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP005.png Binary files differdeleted file mode 100644 index 4aa091767b..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WXPP005.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP009.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP009.png Binary files differdeleted file mode 100644 index b540e238b8..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WXPP009.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/WXPP014.png b/docs/htmldocs/Samba3-HOWTO/images/WXPP014.png Binary files differdeleted file mode 100644 index f1e02d3ce3..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/WXPP014.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/a_small.png b/docs/htmldocs/Samba3-HOWTO/images/a_small.png Binary files differdeleted file mode 100644 index a6622ef6cf..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/a_small.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/access1.png b/docs/htmldocs/Samba3-HOWTO/images/access1.png Binary files differdeleted file mode 100644 index f8b3ac5bb1..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/access1.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/access1.svg b/docs/htmldocs/Samba3-HOWTO/images/access1.svg deleted file mode 100644 index 486686f780..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/access1.svg +++ /dev/null @@ -1,308 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="30.1cm" - height="13.348cm" - viewBox="1.35 1.15 31.45 14.498" - id="svg2"> - <defs - id="defs99" /> - <rect - width="4.4000001" - height="1.1" - x="1.4" - y="1.2" - id="rect4" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="1.4" - y="1.2" - id="rect6" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="3" - y="2" - id="text8" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">type</text> - <rect - width="4.4000001" - height="1.1" - x="6.5" - y="1.2" - id="rect10" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="6.5" - y="1.2" - id="rect12" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="7.8000002" - y="2" - id="text14" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">users</text> - <rect - width="4.4000001" - height="1.1" - x="11.5" - y="1.2" - id="rect16" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="11.5" - y="1.2" - id="rect18" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="12.6" - y="2" - id="text20" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">group</text> - <rect - width="4.4000001" - height="1.1" - x="16.5" - y="1.2" - id="rect22" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="16.5" - y="1.2" - id="rect24" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="17.700001" - y="2" - id="text26" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">others</text> - <rect - width="4.4000001" - height="1.1" - x="1.4" - y="2.7" - id="rect28" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="1.4" - y="2.7" - id="rect30" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="3.2" - y="3.5" - id="text32" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">d l</text> - <rect - width="4.4000001" - height="1.1" - x="6.5" - y="2.7" - id="rect34" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="6.5" - y="2.7" - id="rect36" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="7.9000001" - y="3.5" - id="text38" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">r w x</text> - <rect - width="4.4000001" - height="1.1" - x="11.5" - y="2.7" - id="rect40" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="11.5" - y="2.7" - id="rect42" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="13" - y="3.5" - id="text44" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">r w x</text> - <rect - width="4.4000001" - height="1.1" - x="16.5" - y="2.7" - id="rect46" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.4000001" - height="1.1" - x="16.5" - y="2.7" - id="rect48" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="17.9" - y="3.5" - id="text50" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">r w x</text> - <text - x="22.700001" - y="6.0999999" - id="text52" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Execute, List files</text> - <text - x="22.700001" - y="6.9000001" - id="text54" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Write, Create files</text> - <text - x="22.700001" - y="7.6999998" - id="text56" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Read, Read files</text> - <text - x="22.700001" - y="8.5" - id="text58" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Execute, List files</text> - <text - x="22.700001" - y="9.3000002" - id="text60" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Write, Create files</text> - <text - x="22.700001" - y="10.1" - id="text62" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Read, Read files</text> - <text - x="22.700001" - y="10.9" - id="text64" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Execute, List files</text> - <text - x="22.700001" - y="11.7" - id="text66" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Write, Create files</text> - <text - x="22.700001" - y="12.5" - id="text68" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Can Read, Read files</text> - <text - x="22.700001" - y="13.3" - id="text70" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Is a symbolic link</text> - <text - x="22.700001" - y="14.1" - id="text72" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:monospace">Is a directory</text> - <line - x1="18.700001" - y1="3.8" - x2="18.700001" - y2="6.6999998" - stroke="#000000" - stroke-width="0.100" - id="line74" - style="stroke:#000000;stroke-width:0.1" /> - <line - x1="18.700001" - y1="6.6999998" - x2="22.1" - y2="6.6999998" - stroke="#000000" - stroke-width="0.100" - id="line76" - style="stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="18.000,3.800 18.000,3.800 18.000,7.500 22.100,7.500 " - id="polyline78" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="14.400,3.700 14.400,3.700 14.400,8.300 22.100,8.300 " - id="polyline80" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="13.700,3.800 13.700,3.800 13.700,9.100 22.100,9.100 " - id="polyline82" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="13.100,3.800 13.000,3.800 13.000,9.900 22.100,9.900 " - id="polyline84" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="9.200,3.800 9.300,3.800 9.300,10.700 22.100,10.700 " - id="polyline86" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="8.700,3.800 8.800,3.800 8.800,11.500 22.100,11.500 " - id="polyline88" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="8.000,3.800 8.100,3.800 8.100,12.300 22.100,12.300 " - id="polyline90" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="3.900,3.800 3.900,3.800 3.900,13.100 22.100,13.100 " - id="polyline92" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="3.300,3.800 3.300,3.800 3.300,13.900 22.100,13.900 " - id="polyline94" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="19.200,3.800 19.200,3.800 19.200,5.900 22.100,5.900 " - id="polyline96" - style="fill:none;stroke:#000000;stroke-width:0.1" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/browsing1.png b/docs/htmldocs/Samba3-HOWTO/images/browsing1.png Binary files differdeleted file mode 100644 index eef62c1e8c..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/browsing1.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/browsing1.svg b/docs/htmldocs/Samba3-HOWTO/images/browsing1.svg deleted file mode 100644 index 181ea21871..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/browsing1.svg +++ /dev/null @@ -1,2025 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="29.107cm" - height="18.84cm" - viewBox="-2.808 0.758 26.299 19.598" - id="svg2"> - <defs - id="defs689" /> - <rect - width="1.534" - height="3.5799999" - x="2.007" - y="2.0139999" - id="rect4" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.534" - height="3.5799999" - x="2.007" - y="2.0139999" - id="rect6" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.227" - height="0.40900001" - x="2.1600001" - y="2.2279999" - id="rect8" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.227" - height="0.40900001" - x="2.1600001" - y="2.638" - id="rect10" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.227" - height="0.40900001" - x="2.1600001" - y="3.0469999" - id="rect12" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.227" - height="0.40900001" - x="2.1600001" - y="3.4560001" - id="rect14" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.76700002" - height="0.245" - x="2.1600001" - y="3.947" - id="rect16" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="3.3110001" - cy="3.9879999" - rx="0.054000001" - ry="0.054000001" - id="ellipse18" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="3.3110001" - cy="3.9879999" - rx="0.054000001" - ry="0.054000001" - id="ellipse20" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="3.3110001" - cy="4.151" - rx="0.054000001" - ry="0.054000001" - id="ellipse22" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="3.3110001" - cy="4.151" - rx="0.054000001" - ry="0.054000001" - id="ellipse24" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.184" - height="0.164" - x="3.0039999" - y="4.0279999" - id="rect26" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.184" - height="0.164" - x="3.0039999" - y="4.0279999" - id="rect28" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 2.263,4.519 L 2.263,5.414" - id="path30" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 2.518,4.519 L 2.518,5.414" - id="path32" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 2.774,4.519 L 2.774,5.414" - id="path34" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 3.03,4.519 L 3.03,5.414" - id="path36" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 3.285,4.519 L 3.285,5.414" - id="path38" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 3.541,4.519 L 3.541,5.414" - id="path40" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="1.7,5.9 2.007,5.286 2.007,5.593 3.541,5.593 3.541,5.286 3.95,5.9 1.7,5.9 " - id="polygon42" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="1.7,5.9 2.007,5.286 2.007,5.593 3.541,5.593 3.541,5.286 3.95,5.9 1.7,5.9 " - id="polygon44" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.595" - height="3.7219999" - x="6.119" - y="2" - id="rect46" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.595" - height="3.7219999" - x="6.119" - y="2" - id="rect48" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.276" - height="0.42500001" - x="6.2789998" - y="2.223" - id="rect50" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.276" - height="0.42500001" - x="6.2789998" - y="2.6489999" - id="rect52" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.276" - height="0.42500001" - x="6.2789998" - y="3.0739999" - id="rect54" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.276" - height="0.42500001" - x="6.2789998" - y="3.4990001" - id="rect56" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.79799998" - height="0.255" - x="6.2789998" - y="4.0100002" - id="rect58" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="7.4749999" - cy="4.052" - rx="0.056000002" - ry="0.056000002" - id="ellipse60" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="7.4749999" - cy="4.052" - rx="0.056000002" - ry="0.056000002" - id="ellipse62" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="7.4749999" - cy="4.223" - rx="0.056000002" - ry="0.056000002" - id="ellipse64" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="7.4749999" - cy="4.223" - rx="0.056000002" - ry="0.056000002" - id="ellipse66" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.191" - height="0.17" - x="7.1560001" - y="4.0949998" - id="rect68" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.191" - height="0.17" - x="7.1560001" - y="4.0949998" - id="rect70" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 6.385,4.605 L 6.385,5.536" - id="path72" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 6.651,4.605 L 6.651,5.536" - id="path74" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 6.917,4.605 L 6.917,5.536" - id="path76" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 7.182,4.605 L 7.182,5.536" - id="path78" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 7.448,4.605 L 7.448,5.536" - id="path80" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 7.714,4.605 L 7.714,5.536" - id="path82" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="5.8,6.041 6.119,5.403 6.119,5.722 7.714,5.722 7.714,5.403 8.139,6.041 5.8,6.041 " - id="polygon84" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="5.8,6.041 6.119,5.403 6.119,5.722 7.714,5.722 7.714,5.403 8.139,6.041 5.8,6.041 " - id="polygon86" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.618" - height="3.776" - x="10.124" - y="1.9" - id="rect88" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.618" - height="3.776" - x="10.124" - y="1.9" - id="rect90" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.295" - height="0.43200001" - x="10.286" - y="2.1270001" - id="rect92" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.295" - height="0.43200001" - x="10.286" - y="2.5580001" - id="rect94" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.295" - height="0.43200001" - x="10.286" - y="2.99" - id="rect96" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.295" - height="0.43200001" - x="10.286" - y="3.421" - id="rect98" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.80900002" - height="0.259" - x="10.286" - y="3.9389999" - id="rect100" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="11.499" - cy="3.9820001" - rx="0.057" - ry="0.057" - id="ellipse102" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="11.499" - cy="3.9820001" - rx="0.057" - ry="0.057" - id="ellipse104" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="11.499" - cy="4.1550002" - rx="0.057" - ry="0.057" - id="ellipse106" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="11.499" - cy="4.1550002" - rx="0.057" - ry="0.057" - id="ellipse108" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.19400001" - height="0.17299999" - x="11.176" - y="4.026" - id="rect110" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.19400001" - height="0.17299999" - x="11.176" - y="4.026" - id="rect112" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 10.393,4.543 L 10.393,5.487" - id="path114" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 10.663,4.543 L 10.663,5.487" - id="path116" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 10.933,4.543 L 10.933,5.487" - id="path118" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 11.203,4.543 L 11.203,5.487" - id="path120" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 11.472,4.543 L 11.472,5.487" - id="path122" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 11.742,4.543 L 11.742,5.487" - id="path124" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="9.8,6 10.124,5.353 10.124,5.676 11.742,5.676 11.742,5.353 12.174,6 9.8,6 " - id="polygon126" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="9.8,6 10.124,5.353 10.124,5.676 11.742,5.676 11.742,5.353 12.174,6 9.8,6 " - id="polygon128" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="2.2" - y="1.4" - id="text130" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N1_A</text> - <text - x="6.1999998" - y="1.4" - id="text132" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N1_B</text> - <text - x="10.1" - y="1.3" - id="text134" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N1_C (DMB)</text> - <rect - width="1.631" - height="3.806" - x="14.726" - y="1.8" - id="rect136" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.631" - height="3.806" - x="14.726" - y="1.8" - id="rect138" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.3049999" - height="0.435" - x="14.889" - y="2.0280001" - id="rect140" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.3049999" - height="0.435" - x="14.889" - y="2.4630001" - id="rect142" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.3049999" - height="0.435" - x="14.889" - y="2.898" - id="rect144" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.3049999" - height="0.435" - x="14.889" - y="3.3329999" - id="rect146" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.815" - height="0.26100001" - x="14.889" - y="3.855" - id="rect148" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="16.113001" - cy="3.8989999" - rx="0.057" - ry="0.057" - id="ellipse150" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="16.113001" - cy="3.8989999" - rx="0.057" - ry="0.057" - id="ellipse152" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="16.113001" - cy="4.073" - rx="0.057" - ry="0.057" - id="ellipse154" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="16.113001" - cy="4.073" - rx="0.057" - ry="0.057" - id="ellipse156" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.19599999" - height="0.17399999" - x="15.786" - y="3.9419999" - id="rect158" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.19599999" - height="0.17399999" - x="15.786" - y="3.9419999" - id="rect160" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 14.998,4.464 L 14.998,5.415" - id="path162" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.27,4.464 L 15.27,5.415" - id="path164" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.542,4.464 L 15.542,5.415" - id="path166" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.814,4.464 L 15.814,5.415" - id="path168" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 16.085,4.464 L 16.085,5.415" - id="path170" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 16.357,4.464 L 16.357,5.415" - id="path172" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="14.4,5.932 14.726,5.279 14.726,5.606 16.357,5.606 16.357,5.279 16.792,5.932 14.4,5.932 " - id="polygon174" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="14.4,5.932 14.726,5.279 14.726,5.606 16.357,5.606 16.357,5.279 16.792,5.932 14.4,5.932 " - id="polygon176" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="19.9" - y1="7.0999999" - x2="2.5999999" - y2="7.0999999" - stroke="#000000" - stroke-width="0.100" - id="line178" - style="stroke:#000000;stroke-width:0.1" /> - <line - x1="2.825" - y1="5.9000001" - x2="2.8" - y2="7" - stroke="#000000" - stroke-width="0.100" - id="line180" - style="stroke:#000000;stroke-width:0.1" /> - <line - x1="6.9699998" - y1="6.0409999" - x2="6.9000001" - y2="7" - stroke="#000000" - stroke-width="0.100" - id="line182" - style="stroke:#000000;stroke-width:0.1" /> - <line - x1="10.987" - y1="6" - x2="11" - y2="7.0999999" - stroke="#000000" - stroke-width="0.100" - id="line184" - style="stroke:#000000;stroke-width:0.1" /> - <line - x1="15.596" - y1="5.9320002" - x2="15.6" - y2="7.0999999" - stroke="#000000" - stroke-width="0.100" - id="line186" - style="stroke:#000000;stroke-width:0.1" /> - <rect - width="1.645" - height="3.839" - x="18.929001" - y="1.85" - id="rect188" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.645" - height="3.839" - x="18.929001" - y="1.85" - id="rect190" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.316" - height="0.43900001" - x="19.094" - y="2.0799999" - id="rect192" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.316" - height="0.43900001" - x="19.094" - y="2.5190001" - id="rect194" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.316" - height="0.43900001" - x="19.094" - y="2.9579999" - id="rect196" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.316" - height="0.43900001" - x="19.094" - y="3.3970001" - id="rect198" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.82300001" - height="0.26300001" - x="19.094" - y="3.9230001" - id="rect200" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="20.327999" - cy="3.967" - rx="0.057999998" - ry="0.057999998" - id="ellipse202" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="20.327999" - cy="3.967" - rx="0.057999998" - ry="0.057999998" - id="ellipse204" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="20.327999" - cy="4.1420002" - rx="0.057999998" - ry="0.057999998" - id="ellipse206" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="20.327999" - cy="4.1420002" - rx="0.057999998" - ry="0.057999998" - id="ellipse208" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.197" - height="0.176" - x="19.999001" - y="4.0110002" - id="rect210" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.197" - height="0.176" - x="19.999001" - y="4.0110002" - id="rect212" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 19.203,4.537 L 19.203,5.497" - id="path214" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 19.478,4.537 L 19.478,5.497" - id="path216" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 19.752,4.537 L 19.752,5.497" - id="path218" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 20.026,4.537 L 20.026,5.497" - id="path220" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 20.3,4.537 L 20.3,5.497" - id="path222" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 20.574,4.537 L 20.574,5.497" - id="path224" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="18.6,6.018 18.929,5.36 18.929,5.689 20.574,5.689 20.574,5.36 21.013,6.018 18.6,6.018 " - id="polygon226" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="18.6,6.018 18.929,5.36 18.929,5.689 20.574,5.689 20.574,5.36 21.013,6.018 18.6,6.018 " - id="polygon228" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="19.799999" - y1="7.0999999" - x2="19.806999" - y2="6.0180001" - stroke="#000000" - stroke-width="0.100" - id="line230" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="14.6" - y="1.3" - id="text232" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N1_D</text> - <text - x="18.9" - y="1.3" - id="text234" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N1_E</text> - <line - x1="2.5999999" - y1="7" - x2="2.5999999" - y2="8.6000004" - stroke="#000000" - stroke-width="0.100" - id="line236" - style="stroke:#000000;stroke-width:0.1" /> - <rect - width="2.3499999" - height="2.3499999" - x="1.4" - y="8.6000004" - id="rect238" - style="fill:#9f9f9f;stroke:none;stroke-width:0" /> - <rect - width="2.3499999" - height="2.3499999" - x="1.4" - y="8.6000004" - id="rect240" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.3499999" - height="2.3499999" - x="1.4" - y="8.6000004" - id="rect242" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <path - d="M 2.72,8.98 C 2.72,10.155 2.955,9.92 1.78,9.92" - id="path244" - style="fill:none;stroke:#ffffff;stroke-width:0.13" /> - <path - d="M 2.72,8.98 C 2.72,10.155 2.955,9.92 1.78,9.92" - id="path246" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <polygon - points="2.833,9.164 2.716,8.929 2.599,9.164 2.833,9.164 " - id="polygon248" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="2.833,9.164 2.716,8.929 2.599,9.164 2.833,9.164 " - id="polygon250" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="1.964,9.798 1.729,9.916 1.964,10.034 1.964,9.798 " - id="polygon252" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="1.964,9.798 1.729,9.916 1.964,10.034 1.964,9.798 " - id="polygon254" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <path - d="M 3.418,9.641 C 2.243,9.641 2.478,9.406 2.478,10.581" - id="path256" - style="fill:none;stroke:#ffffff;stroke-width:0.13" /> - <path - d="M 3.418,9.641 C 2.243,9.641 2.478,9.406 2.478,10.581" - id="path258" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <polygon - points="3.21,9.752 3.445,9.634 3.21,9.516 3.21,9.752 " - id="polygon260" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="3.21,9.752 3.445,9.634 3.21,9.516 3.21,9.752 " - id="polygon262" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="2.34,10.386 2.458,10.621 2.575,10.386 2.34,10.386 " - id="polygon264" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="2.34,10.386 2.458,10.621 2.575,10.386 2.34,10.386 " - id="polygon266" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="4.5" - y="10.1" - id="text268" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Router 1</text> - <text - x="9.8999996" - y="8.1000004" - id="text270" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Subnet 1</text> - <line - x1="19.9" - y1="7" - x2="19.9" - y2="8.6999998" - stroke="#000000" - stroke-width="0.100" - id="line272" - style="stroke:#000000;stroke-width:0.1" /> - <rect - width="2.4000001" - height="2.4000001" - x="18.700001" - y="8.6999998" - id="rect274" - style="fill:#9f9f9f;stroke:none;stroke-width:0" /> - <rect - width="2.4000001" - height="2.4000001" - x="18.700001" - y="8.6999998" - id="rect276" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.4000001" - height="2.4000001" - x="18.700001" - y="8.6999998" - id="rect278" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <path - d="M 20.048,9.088 C 20.048,10.288 20.288,10.048 19.088,10.048" - id="path280" - style="fill:none;stroke:#ffffff;stroke-width:0.13" /> - <path - d="M 20.048,9.088 C 20.048,10.288 20.288,10.048 19.088,10.048" - id="path282" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <polygon - points="20.164,9.276 20.044,9.036 19.924,9.276 20.164,9.276 " - id="polygon284" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="20.164,9.276 20.044,9.036 19.924,9.276 20.164,9.276 " - id="polygon286" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="19.276,9.924 19.036,10.044 19.276,10.164 19.276,9.924 " - id="polygon288" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="19.276,9.924 19.036,10.044 19.276,10.164 19.276,9.924 " - id="polygon290" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <path - d="M 20.761,9.764 C 19.561,9.764 19.801,9.524 19.801,10.724" - id="path292" - style="fill:none;stroke:#ffffff;stroke-width:0.13" /> - <path - d="M 20.761,9.764 C 19.561,9.764 19.801,9.524 19.801,10.724" - id="path294" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <polygon - points="20.548,9.876 20.788,9.756 20.548,9.636 20.548,9.876 " - id="polygon296" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="20.548,9.876 20.788,9.756 20.548,9.636 20.548,9.876 " - id="polygon298" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="19.66,10.524 19.78,10.764 19.9,10.524 19.66,10.524 " - id="polygon300" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="19.66,10.524 19.78,10.764 19.9,10.524 19.66,10.524 " - id="polygon302" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="15.5" - y="10.1" - id="text304" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Router 2</text> - <line - x1="2.575" - y1="10.95" - x2="2.5999999" - y2="12.4" - stroke="#000000" - stroke-width="0.100" - id="line306" - style="stroke:#000000;stroke-width:0.1" /> - <line - x1="8" - y1="12.4" - x2="-1.7" - y2="12.4" - stroke="#000000" - stroke-width="0.100" - id="line308" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="3.4000001" - y="12" - id="text310" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Subnet 2</text> - <rect - width="1.493" - height="3.483" - x="7.099" - y="13.5" - id="rect312" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.493" - height="3.483" - x="7.099" - y="13.5" - id="rect314" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.194" - height="0.398" - x="7.2480001" - y="13.709" - id="rect316" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.194" - height="0.398" - x="7.2480001" - y="14.107" - id="rect318" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.194" - height="0.398" - x="7.2480001" - y="14.505" - id="rect320" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.194" - height="0.398" - x="7.2480001" - y="14.903" - id="rect322" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.74599999" - height="0.23899999" - x="7.2480001" - y="15.381" - id="rect324" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="8.3669996" - cy="15.421" - rx="0.052000001" - ry="0.052000001" - id="ellipse326" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="8.3669996" - cy="15.421" - rx="0.052000001" - ry="0.052000001" - id="ellipse328" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="8.3669996" - cy="15.58" - rx="0.052000001" - ry="0.052000001" - id="ellipse330" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="8.3669996" - cy="15.58" - rx="0.052000001" - ry="0.052000001" - id="ellipse332" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.17900001" - height="0.15899999" - x="8.0690002" - y="15.461" - id="rect334" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.17900001" - height="0.15899999" - x="8.0690002" - y="15.461" - id="rect336" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 7.347,15.938 L 7.347,16.809" - id="path338" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 7.596,15.938 L 7.596,16.809" - id="path340" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 7.845,15.938 L 7.845,16.809" - id="path342" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 8.094,15.938 L 8.094,16.809" - id="path344" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 8.343,15.938 L 8.343,16.809" - id="path346" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 8.591,15.938 L 8.591,16.809" - id="path348" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="6.8,17.282 7.099,16.685 7.099,16.983 8.591,16.983 8.591,16.685 8.989,17.282 6.8,17.282 " - id="polygon350" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="6.8,17.282 7.099,16.685 7.099,16.983 8.591,16.983 8.591,16.685 8.989,17.282 6.8,17.282 " - id="polygon352" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="7.895" - y1="13.5" - x2="7.9000001" - y2="12.3" - stroke="#000000" - stroke-width="0.100" - id="line354" - style="stroke:#000000;stroke-width:0.1" /> - <rect - width="1.535" - height="3.582" - x="3.707" - y="13.489" - id="rect356" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.535" - height="3.582" - x="3.707" - y="13.489" - id="rect358" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.228" - height="0.40900001" - x="3.8599999" - y="13.703" - id="rect360" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="3.8599999" - y="14.113" - id="rect362" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="3.8599999" - y="14.522" - id="rect364" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="3.8599999" - y="14.931" - id="rect366" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.76700002" - height="0.24600001" - x="3.8599999" - y="15.423" - id="rect368" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="5.0120001" - cy="15.464" - rx="0.054000001" - ry="0.054000001" - id="ellipse370" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="5.0120001" - cy="15.464" - rx="0.054000001" - ry="0.054000001" - id="ellipse372" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="5.0120001" - cy="15.627" - rx="0.054000001" - ry="0.054000001" - id="ellipse374" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="5.0120001" - cy="15.627" - rx="0.054000001" - ry="0.054000001" - id="ellipse376" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.184" - height="0.164" - x="4.7049999" - y="15.505" - id="rect378" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.184" - height="0.164" - x="4.7049999" - y="15.505" - id="rect380" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 3.963,15.996 L 3.963,16.891" - id="path382" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 4.219,15.996 L 4.219,16.891" - id="path384" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 4.474,15.996 L 4.474,16.891" - id="path386" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 4.73,15.996 L 4.73,16.891" - id="path388" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 4.986,15.996 L 4.986,16.891" - id="path390" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 5.242,15.996 L 5.242,16.891" - id="path392" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="3.4,17.377 3.707,16.763 3.707,17.07 5.242,17.07 5.242,16.763 5.651,17.377 3.4,17.377 " - id="polygon394" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="3.4,17.377 3.707,16.763 3.707,17.07 5.242,17.07 5.242,16.763 5.651,17.377 3.4,17.377 " - id="polygon396" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="4.526" - y1="13.489" - x2="4.5999999" - y2="12.4" - stroke="#000000" - stroke-width="0.100" - id="line398" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="7" - y="18.4" - id="text400" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N2_D</text> - <text - x="7" - y="19.200001" - id="text402" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">(WINS)</text> - <text - x="3.9000001" - y="18.4" - id="text404" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N2_C</text> - <rect - width="1.535" - height="3.582" - x="0.60699999" - y="13.5" - id="rect406" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.535" - height="3.582" - x="0.60699999" - y="13.5" - id="rect408" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.228" - height="0.40900001" - x="0.75999999" - y="13.715" - id="rect410" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="0.75999999" - y="14.124" - id="rect412" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="0.75999999" - y="14.534" - id="rect414" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="0.75999999" - y="14.943" - id="rect416" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.76700002" - height="0.24600001" - x="0.75999999" - y="15.434" - id="rect418" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="1.9119999" - cy="15.475" - rx="0.054000001" - ry="0.054000001" - id="ellipse420" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="1.9119999" - cy="15.475" - rx="0.054000001" - ry="0.054000001" - id="ellipse422" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="1.9119999" - cy="15.639" - rx="0.054000001" - ry="0.054000001" - id="ellipse424" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="1.9119999" - cy="15.639" - rx="0.054000001" - ry="0.054000001" - id="ellipse426" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.184" - height="0.164" - x="1.605" - y="15.516" - id="rect428" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.184" - height="0.164" - x="1.605" - y="15.516" - id="rect430" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 0.863,16.007 L 0.863,16.903" - id="path432" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 1.119,16.007 L 1.119,16.903" - id="path434" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 1.374,16.007 L 1.374,16.903" - id="path436" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 1.63,16.007 L 1.63,16.903" - id="path438" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 1.886,16.007 L 1.886,16.903" - id="path440" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 2.142,16.007 L 2.142,16.903" - id="path442" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="0.3,17.389 0.607,16.775 0.607,17.082 2.142,17.082 2.142,16.775 2.551,17.389 0.3,17.389 " - id="polygon444" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="0.3,17.389 0.607,16.775 0.607,17.082 2.142,17.082 2.142,16.775 2.551,17.389 0.3,17.389 " - id="polygon446" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="1.426" - y1="13.5" - x2="1.5" - y2="12.411" - stroke="#000000" - stroke-width="0.100" - id="line448" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="0.80000001" - y="18.410999" - id="text450" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N2_B</text> - <rect - width="1.535" - height="3.582" - x="-2.493" - y="13.5" - id="rect452" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.535" - height="3.582" - x="-2.493" - y="13.5" - id="rect454" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.228" - height="0.40900001" - x="-2.3399999" - y="13.715" - id="rect456" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="-2.3399999" - y="14.124" - id="rect458" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="-2.3399999" - y="14.534" - id="rect460" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="-2.3399999" - y="14.943" - id="rect462" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.76700002" - height="0.24600001" - x="-2.3399999" - y="15.434" - id="rect464" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="-1.188" - cy="15.475" - rx="0.054000001" - ry="0.054000001" - id="ellipse466" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="-1.188" - cy="15.475" - rx="0.054000001" - ry="0.054000001" - id="ellipse468" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="-1.188" - cy="15.639" - rx="0.054000001" - ry="0.054000001" - id="ellipse470" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="-1.188" - cy="15.639" - rx="0.054000001" - ry="0.054000001" - id="ellipse472" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.184" - height="0.164" - x="-1.495" - y="15.516" - id="rect474" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.184" - height="0.164" - x="-1.495" - y="15.516" - id="rect476" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M -2.237,16.007 L -2.237,16.903" - id="path478" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M -1.981,16.007 L -1.981,16.903" - id="path480" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M -1.726,16.007 L -1.726,16.903" - id="path482" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M -1.47,16.007 L -1.47,16.903" - id="path484" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M -1.214,16.007 L -1.214,16.903" - id="path486" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M -0.958,16.007 L -0.958,16.903" - id="path488" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="-2.8,17.389 -2.493,16.775 -2.493,17.082 -0.958,17.082 -0.958,16.775 -0.549,17.389 -2.8,17.389 " - id="polygon490" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="-2.8,17.389 -2.493,16.775 -2.493,17.082 -0.958,17.082 -0.958,16.775 -0.549,17.389 -2.8,17.389 " - id="polygon492" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="-1.674" - y1="13.5" - x2="-1.6" - y2="12.411" - stroke="#000000" - stroke-width="0.100" - id="line494" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="-2.4000001" - y="18.4" - id="text496" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N2_A</text> - <line - x1="19.9" - y1="11.1" - x2="19.9" - y2="12.6" - stroke="#000000" - stroke-width="0.100" - id="line498" - style="stroke:#000000;stroke-width:0.1" /> - <line - x1="25.299999" - y1="12.6" - x2="15.6" - y2="12.6" - stroke="#000000" - stroke-width="0.100" - id="line500" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="20.700001" - y="12.2" - id="text502" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Subnet 3</text> - <rect - width="1.493" - height="3.483" - x="24.399" - y="13.7" - id="rect504" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.493" - height="3.483" - x="24.399" - y="13.7" - id="rect506" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.194" - height="0.398" - x="24.548" - y="13.909" - id="rect508" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.194" - height="0.398" - x="24.548" - y="14.307" - id="rect510" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.194" - height="0.398" - x="24.548" - y="14.705" - id="rect512" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.194" - height="0.398" - x="24.548" - y="15.103" - id="rect514" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.74599999" - height="0.23899999" - x="24.548" - y="15.581" - id="rect516" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="25.667" - cy="15.621" - rx="0.052000001" - ry="0.052000001" - id="ellipse518" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="25.667" - cy="15.621" - rx="0.052000001" - ry="0.052000001" - id="ellipse520" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="25.667" - cy="15.78" - rx="0.052000001" - ry="0.052000001" - id="ellipse522" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="25.667" - cy="15.78" - rx="0.052000001" - ry="0.052000001" - id="ellipse524" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.17900001" - height="0.15899999" - x="25.368999" - y="15.661" - id="rect526" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.17900001" - height="0.15899999" - x="25.368999" - y="15.661" - id="rect528" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 24.647,16.138 L 24.647,17.009" - id="path530" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 24.896,16.138 L 24.896,17.009" - id="path532" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 25.145,16.138 L 25.145,17.009" - id="path534" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 25.394,16.138 L 25.394,17.009" - id="path536" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 25.643,16.138 L 25.643,17.009" - id="path538" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 25.891,16.138 L 25.891,17.009" - id="path540" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="24.1,17.482 24.399,16.885 24.399,17.183 25.891,17.183 25.891,16.885 26.289,17.482 24.1,17.482 " - id="polygon542" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="24.1,17.482 24.399,16.885 24.399,17.183 25.891,17.183 25.891,16.885 26.289,17.482 24.1,17.482 " - id="polygon544" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="25.195" - y1="13.7" - x2="25.200001" - y2="12.5" - stroke="#000000" - stroke-width="0.100" - id="line546" - style="stroke:#000000;stroke-width:0.1" /> - <rect - width="1.535" - height="3.582" - x="21.007" - y="13.689" - id="rect548" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.535" - height="3.582" - x="21.007" - y="13.689" - id="rect550" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.228" - height="0.40900001" - x="21.16" - y="13.903" - id="rect552" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="21.16" - y="14.313" - id="rect554" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="21.16" - y="14.722" - id="rect556" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="21.16" - y="15.131" - id="rect558" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.76700002" - height="0.24600001" - x="21.16" - y="15.623" - id="rect560" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="22.312" - cy="15.664" - rx="0.054000001" - ry="0.054000001" - id="ellipse562" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="22.312" - cy="15.664" - rx="0.054000001" - ry="0.054000001" - id="ellipse564" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="22.312" - cy="15.827" - rx="0.054000001" - ry="0.054000001" - id="ellipse566" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="22.312" - cy="15.827" - rx="0.054000001" - ry="0.054000001" - id="ellipse568" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.184" - height="0.164" - x="22.004999" - y="15.705" - id="rect570" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.184" - height="0.164" - x="22.004999" - y="15.705" - id="rect572" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 21.263,16.196 L 21.263,17.091" - id="path574" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 21.519,16.196 L 21.519,17.091" - id="path576" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 21.774,16.196 L 21.774,17.091" - id="path578" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 22.03,16.196 L 22.03,17.091" - id="path580" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 22.286,16.196 L 22.286,17.091" - id="path582" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 22.542,16.196 L 22.542,17.091" - id="path584" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="20.7,17.577 21.007,16.963 21.007,17.27 22.542,17.27 22.542,16.963 22.951,17.577 20.7,17.577 " - id="polygon586" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="20.7,17.577 21.007,16.963 21.007,17.27 22.542,17.27 22.542,16.963 22.951,17.577 20.7,17.577 " - id="polygon588" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="21.826" - y1="13.689" - x2="21.9" - y2="12.6" - stroke="#000000" - stroke-width="0.100" - id="line590" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="24.299999" - y="18.6" - id="text592" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N3_D</text> - <text - x="21.200001" - y="18.6" - id="text594" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N3_C</text> - <rect - width="1.535" - height="3.582" - x="17.907" - y="13.7" - id="rect596" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.535" - height="3.582" - x="17.907" - y="13.7" - id="rect598" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.228" - height="0.40900001" - x="18.059999" - y="13.915" - id="rect600" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="18.059999" - y="14.324" - id="rect602" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="18.059999" - y="14.734" - id="rect604" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="18.059999" - y="15.143" - id="rect606" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.76700002" - height="0.24600001" - x="18.059999" - y="15.634" - id="rect608" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="19.212" - cy="15.675" - rx="0.054000001" - ry="0.054000001" - id="ellipse610" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="19.212" - cy="15.675" - rx="0.054000001" - ry="0.054000001" - id="ellipse612" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="19.212" - cy="15.839" - rx="0.054000001" - ry="0.054000001" - id="ellipse614" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="19.212" - cy="15.839" - rx="0.054000001" - ry="0.054000001" - id="ellipse616" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.184" - height="0.164" - x="18.905001" - y="15.716" - id="rect618" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.184" - height="0.164" - x="18.905001" - y="15.716" - id="rect620" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 18.163,16.207 L 18.163,17.103" - id="path622" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 18.419,16.207 L 18.419,17.103" - id="path624" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 18.674,16.207 L 18.674,17.103" - id="path626" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 18.93,16.207 L 18.93,17.103" - id="path628" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 19.186,16.207 L 19.186,17.103" - id="path630" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 19.442,16.207 L 19.442,17.103" - id="path632" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="17.6,17.589 17.907,16.975 17.907,17.282 19.442,17.282 19.442,16.975 19.851,17.589 17.6,17.589 " - id="polygon634" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="17.6,17.589 17.907,16.975 17.907,17.282 19.442,17.282 19.442,16.975 19.851,17.589 17.6,17.589 " - id="polygon636" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="18.726" - y1="13.7" - x2="18.799999" - y2="12.611" - stroke="#000000" - stroke-width="0.100" - id="line638" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="18.1" - y="18.611" - id="text640" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N3_B</text> - <rect - width="1.535" - height="3.582" - x="14.807" - y="13.7" - id="rect642" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.535" - height="3.582" - x="14.807" - y="13.7" - id="rect644" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.228" - height="0.40900001" - x="14.96" - y="13.915" - id="rect646" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="14.96" - y="14.324" - id="rect648" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="14.96" - y="14.734" - id="rect650" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.228" - height="0.40900001" - x="14.96" - y="15.143" - id="rect652" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.76700002" - height="0.24600001" - x="14.96" - y="15.634" - id="rect654" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="16.112" - cy="15.675" - rx="0.054000001" - ry="0.054000001" - id="ellipse656" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="16.112" - cy="15.675" - rx="0.054000001" - ry="0.054000001" - id="ellipse658" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="16.112" - cy="15.839" - rx="0.054000001" - ry="0.054000001" - id="ellipse660" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="16.112" - cy="15.839" - rx="0.054000001" - ry="0.054000001" - id="ellipse662" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.184" - height="0.164" - x="15.805" - y="15.716" - id="rect664" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.184" - height="0.164" - x="15.805" - y="15.716" - id="rect666" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.063,16.207 L 15.063,17.103" - id="path668" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.319,16.207 L 15.319,17.103" - id="path670" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.574,16.207 L 15.574,17.103" - id="path672" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.83,16.207 L 15.83,17.103" - id="path674" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 16.086,16.207 L 16.086,17.103" - id="path676" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 16.342,16.207 L 16.342,17.103" - id="path678" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="14.5,17.589 14.807,16.975 14.807,17.282 16.342,17.282 16.342,16.975 16.751,17.589 14.5,17.589 " - id="polygon680" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="14.5,17.589 14.807,16.975 14.807,17.282 16.342,17.282 16.342,16.975 16.751,17.589 14.5,17.589 " - id="polygon682" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="15.626" - y1="13.7" - x2="15.7" - y2="12.611" - stroke="#000000" - stroke-width="0.100" - id="line684" - style="stroke:#000000;stroke-width:0.1" /> - <text - x="14.9" - y="18.6" - id="text686" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">N3_A</text> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/cups1.png b/docs/htmldocs/Samba3-HOWTO/images/cups1.png Binary files differdeleted file mode 100644 index c93d987a20..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/cups1.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/cups1.svg b/docs/htmldocs/Samba3-HOWTO/images/cups1.svg deleted file mode 100644 index 18b7e4f2a6..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/cups1.svg +++ /dev/null @@ -1,274 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="27.950001cm" - height="23.34cm" - viewBox="0.8 0.857 28.75 24.198" - id="svg2"> - <defs - id="defs117" /> - <text - x="0.80000001" - y="1.4" - id="text4" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">CUPS in and of itself has this (general) filter chain (italic letters</text> - <text - x="0.80000001" - y="2.2" - id="text6" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">are file-formats or MIME types, other are filters (this is</text> - <text - x="0.80000001" - y="3" - id="text8" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">true for pre-1.1.15 of pre-4.3 versions of CUPS and ESP PrintPro):</text> - <text - x="2.0999999" - y="4.9000001" - id="text10" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">something-fileformat</text> - <polygon - points="4.625,5.6 4.625,6.45 4.2,6.45 5.05,7.3 5.9,6.45 5.475,6.45 5.475,5.6 4.625,5.6 " - id="polygon12" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="4.625,5.6 4.625,6.45 4.2,6.45 5.05,7.3 5.9,6.45 5.475,6.45 5.475,5.6 4.625,5.6 " - id="polygon14" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.625,5.6 4.625,6.45 4.2,6.45 5.05,7.3 5.9,6.45 5.475,6.45 5.475,5.6 4.625,5.6 " - id="polygon16" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="2.0999999" - y="11.9" - id="text18" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">application/postscript</text> - <polygon - points="4.725,12.6 4.725,13.45 4.3,13.45 5.15,14.3 6,13.45 5.575,13.45 5.575,12.6 4.725,12.6 " - id="polygon20" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="4.725,12.6 4.725,13.45 4.3,13.45 5.15,14.3 6,13.45 5.575,13.45 5.575,12.6 4.725,12.6 " - id="polygon22" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.725,12.6 4.725,13.45 4.3,13.45 5.15,14.3 6,13.45 5.575,13.45 5.575,12.6 4.725,12.6 " - id="polygon24" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="4.625,9 4.625,9.85 4.2,9.85 5.05,10.7 5.9,9.85 5.475,9.85 5.475,9 4.625,9 " - id="polygon26" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="4.625,9 4.625,9.85 4.2,9.85 5.05,10.7 5.9,9.85 5.475,9.85 5.475,9 4.625,9 " - id="polygon28" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.625,9 4.625,9.85 4.2,9.85 5.05,10.7 5.9,9.85 5.475,9.85 5.475,9 4.625,9 " - id="polygon30" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="2.8" - y="8.3000002" - id="text32" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">somethingtops</text> - <text - x="4.0999999" - y="15.3" - id="text34" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pstops</text> - <polygon - points="4.725,15.8 4.725,16.65 4.3,16.65 5.15,17.5 6,16.65 5.575,16.65 5.575,15.8 4.725,15.8 " - id="polygon36" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="4.725,15.8 4.725,16.65 4.3,16.65 5.15,17.5 6,16.65 5.575,16.65 5.575,15.8 4.725,15.8 " - id="polygon38" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.725,15.8 4.725,16.65 4.3,16.65 5.15,17.5 6,16.65 5.575,16.65 5.575,15.8 4.725,15.8 " - id="polygon40" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="1.2" - y="18.4" - id="text42" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">application/vnd.cups-postscript</text> - <text - x="14.8" - y="18.4" - id="text44" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pstoraster</text> - <text - x="13.4" - y="14.8" - id="text46" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">application/vnd.cups-raster</text> - <text - x="14.2" - y="11.2" - id="text48" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">rastertosomething</text> - <text - x="13.3" - y="7.6999998" - id="text50" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">something-device-specific</text> - <text - x="25.6" - y="7.6999998" - id="text52" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">backend</text> - <polygon - points="11.2,17.625 12.5,17.625 12.5,17.2 13.8,18.05 12.5,18.9 12.5,18.475 11.2,18.475 11.2,17.625 " - id="polygon54" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="11.2,17.625 12.5,17.625 12.5,17.2 13.8,18.05 12.5,18.9 12.5,18.475 11.2,18.475 11.2,17.625 " - id="polygon56" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="11.2,17.625 12.5,17.625 12.5,17.2 13.8,18.05 12.5,18.9 12.5,18.475 11.2,18.475 11.2,17.625 " - id="polygon58" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="16.35,17.5 16.35,16.35 15.9,16.35 16.8,15.2 17.7,16.35 17.25,16.35 17.25,17.5 16.35,17.5 " - id="polygon60" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="16.35,17.5 16.35,16.35 15.9,16.35 16.8,15.2 17.7,16.35 17.25,16.35 17.25,17.5 16.35,17.5 " - id="polygon62" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="16.35,17.5 16.35,16.35 15.9,16.35 16.8,15.2 17.7,16.35 17.25,16.35 17.25,17.5 16.35,17.5 " - id="polygon64" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="16.35,14 16.35,12.85 15.9,12.85 16.8,11.7 17.7,12.85 17.25,12.85 17.25,14 16.35,14 " - id="polygon66" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="16.35,14 16.35,12.85 15.9,12.85 16.8,11.7 17.7,12.85 17.25,12.85 17.25,14 16.35,14 " - id="polygon68" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="16.35,14 16.35,12.85 15.9,12.85 16.8,11.7 17.7,12.85 17.25,12.85 17.25,14 16.35,14 " - id="polygon70" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="16.35,10.3 16.35,9.15 15.9,9.15 16.8,8 17.7,9.15 17.25,9.15 17.25,10.3 16.35,10.3 " - id="polygon72" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="16.35,10.3 16.35,9.15 15.9,9.15 16.8,8 17.7,9.15 17.25,9.15 17.25,10.3 16.35,10.3 " - id="polygon74" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="16.35,10.3 16.35,9.15 15.9,9.15 16.8,8 17.7,9.15 17.25,9.15 17.25,10.3 16.35,10.3 " - id="polygon76" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="21.9,7.025 23.2,7.025 23.2,6.6 24.5,7.45 23.2,8.3 23.2,7.875 21.9,7.875 21.9,7.025 " - id="polygon78" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="21.9,7.025 23.2,7.025 23.2,6.6 24.5,7.45 23.2,8.3 23.2,7.875 21.9,7.875 21.9,7.025 " - id="polygon80" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="21.9,7.025 23.2,7.025 23.2,6.6 24.5,7.45 23.2,8.3 23.2,7.875 21.9,7.875 21.9,7.025 " - id="polygon82" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="8.1000004" - height="2.7" - x="20.200001" - y="10" - id="rect84" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="8.1000004" - height="2.7" - x="20.200001" - y="10" - id="rect86" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="20.5" - y="10.7" - id="text88" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">e.g. Gimp-Print filters</text> - <text - x="20.5" - y="11.5" - id="text90" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">may be plugged in here</text> - <text - x="20.5" - y="12.3" - id="text92" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">(= "raster driver")</text> - <text - x="1.5" - y="20.700001" - id="text94" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">ESP PrintPro has some enhanced "rastertosomething" filters as compared to</text> - <text - x="1.5" - y="21.5" - id="text96" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">CUPS, and also a somewhat improved "pstoraster" filter.</text> - <text - x="1.6" - y="23" - id="text98" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to</text> - <text - x="1.6" - y="23.799999" - id="text100" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">CUPS and ESP PrintPro plug-in where rastertosomething is noted.</text> - <rect - width="10.1" - height="4.4000001" - x="18.6" - y="15.5" - id="rect102" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="10.1" - height="4.4000001" - x="18.6" - y="15.5" - id="rect104" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="19" - y="16.4" - id="text106" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">as shipped with CUPS,</text> - <text - x="19" - y="17.200001" - id="text108" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">independent from any</text> - <text - x="19" - y="18" - id="text110" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">GhostScript installation on the</text> - <text - x="19" - y="18.799999" - id="text112" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">system</text> - <text - x="19" - y="19.6" - id="text114" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">(= "postscript interpreter")</text> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/cups2.png b/docs/htmldocs/Samba3-HOWTO/images/cups2.png Binary files differdeleted file mode 100644 index fae32fc9a0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/cups2.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/cups2.svg b/docs/htmldocs/Samba3-HOWTO/images/cups2.svg deleted file mode 100644 index 8cddd339c0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/cups2.svg +++ /dev/null @@ -1,320 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="24.681999cm" - height="42.34cm" - viewBox="0.268 0.758 24.95 43.098" - id="svg2"> - <defs - id="defs139" /> - <text - x="1" - y="1.3" - id="text4" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">something-fileformat</text> - <polygon - points="3.163,1.9 3.163,2.825 2.7,2.825 3.625,3.75 4.55,2.825 4.088,2.825 4.088,1.9 3.163,1.9 " - id="polygon6" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.163,1.9 3.163,2.825 2.7,2.825 3.625,3.75 4.55,2.825 4.088,2.825 4.088,1.9 3.163,1.9 " - id="polygon8" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.163,1.9 3.163,2.825 2.7,2.825 3.625,3.75 4.55,2.825 4.088,2.825 4.088,1.9 3.163,1.9 " - id="polygon10" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="1.7" - y="4.8000002" - id="text12" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">somethingtops</text> - <text - x="1.4" - y="8.3000002" - id="text14" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">application/postscript</text> - <polygon - points="3.262,5.4 3.262,6.325 2.8,6.325 3.725,7.25 4.65,6.325 4.188,6.325 4.188,5.4 3.262,5.4 " - id="polygon16" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.262,5.4 3.262,6.325 2.8,6.325 3.725,7.25 4.65,6.325 4.188,6.325 4.188,5.4 3.262,5.4 " - id="polygon18" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.262,5.4 3.262,6.325 2.8,6.325 3.725,7.25 4.65,6.325 4.188,6.325 4.188,5.4 3.262,5.4 " - id="polygon20" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="2.8" - y="11.5" - id="text22" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pstops</text> - <polygon - points="3.262,8.7 3.262,9.625 2.8,9.625 3.725,10.55 4.65,9.625 4.188,9.625 4.188,8.7 3.262,8.7 " - id="polygon24" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.262,8.7 3.262,9.625 2.8,9.625 3.725,10.55 4.65,9.625 4.188,9.625 4.188,8.7 3.262,8.7 " - id="polygon26" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.262,8.7 3.262,9.625 2.8,9.625 3.725,10.55 4.65,9.625 4.188,9.625 4.188,8.7 3.262,8.7 " - id="polygon28" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="3.362,12.1 3.362,13.025 2.9,13.025 3.825,13.95 4.75,13.025 4.287,13.025 4.287,12.1 3.362,12.1 " - id="polygon30" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.362,12.1 3.362,13.025 2.9,13.025 3.825,13.95 4.75,13.025 4.287,13.025 4.287,12.1 3.362,12.1 " - id="polygon32" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.362,12.1 3.362,13.025 2.9,13.025 3.825,13.95 4.75,13.025 4.287,13.025 4.287,12.1 3.362,12.1 " - id="polygon34" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="0.30000001" - y="15" - id="text36" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">application/vnd.cups-postscript</text> - <polygon - points="10.5,14.275 12,14.275 12,13.8 13.5,14.75 12,15.7 12,15.225 10.5,15.225 10.5,14.275 " - id="polygon38" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="10.5,14.275 12,14.275 12,13.8 13.5,14.75 12,15.7 12,15.225 10.5,15.225 10.5,14.275 " - id="polygon40" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="10.5,14.275 12,14.275 12,13.8 13.5,14.75 12,15.7 12,15.225 10.5,15.225 10.5,14.275 " - id="polygon42" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="14.2" - y="14.9" - id="text44" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">cupsomatic</text> - <rect - width="10.5" - height="3.8" - x="14.4" - y="10" - id="rect46" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="10.5" - height="3.8" - x="14.4" - y="10" - id="rect48" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="14.9" - y="11" - id="text50" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">(constructs complicated</text> - <text - x="14.9" - y="11.8" - id="text52" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Ghostscript commandline</text> - <text - x="14.9" - y="12.6" - id="text54" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">to let the file be processed by a</text> - <text - x="14.9" - y="13.4" - id="text56" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">"-sDEVICE-s.th." call...)</text> - <polygon - points="3.462,15.7 3.462,16.625 3,16.625 3.925,17.55 4.85,16.625 4.388,16.625 4.388,15.7 3.462,15.7 " - id="polygon58" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.462,15.7 3.462,16.625 3,16.625 3.925,17.55 4.85,16.625 4.388,16.625 4.388,15.7 3.462,15.7 " - id="polygon60" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.462,15.7 3.462,16.625 3,16.625 3.925,17.55 4.85,16.625 4.388,16.625 4.388,15.7 3.462,15.7 " - id="polygon62" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="2.6159999" - y="18.299999" - id="text64" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pstoraster</text> - <text - x="0.26800001" - y="19.1" - id="text66" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">(= "postscript interpreter")</text> - <polygon - points="3.562,19.4 3.562,20.325 3.1,20.325 4.025,21.25 4.95,20.325 4.487,20.325 4.487,19.4 3.562,19.4 " - id="polygon68" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.562,19.4 3.562,20.325 3.1,20.325 4.025,21.25 4.95,20.325 4.487,20.325 4.487,19.4 3.562,19.4 " - id="polygon70" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.562,19.4 3.562,20.325 3.1,20.325 4.025,21.25 4.95,20.325 4.487,20.325 4.487,19.4 3.562,19.4 " - id="polygon72" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="0.80000001" - y="22.299999" - id="text74" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">application/vnd.cups-raster</text> - <polygon - points="3.663,23 3.663,23.925 3.2,23.925 4.125,24.85 5.05,23.925 4.588,23.925 4.588,23 3.663,23 " - id="polygon76" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.663,23 3.663,23.925 3.2,23.925 4.125,24.85 5.05,23.925 4.588,23.925 4.588,23 3.663,23 " - id="polygon78" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.663,23 3.663,23.925 3.2,23.925 4.125,24.85 5.05,23.925 4.588,23.925 4.588,23 3.663,23 " - id="polygon80" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="1.7" - y="25.5" - id="text82" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">rastertosomething</text> - <text - x="1.7" - y="26.299999" - id="text84" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">(= "raster driver")</text> - <polygon - points="16.915,16.1 16.915,17.129 16.4,17.129 17.429,18.159 18.459,17.129 17.944,17.129 17.944,16.1 16.915,16.1 " - id="polygon86" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="16.915,16.1 16.915,17.129 16.4,17.129 17.429,18.159 18.459,17.129 17.944,17.129 17.944,16.1 16.915,16.1 " - id="polygon88" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="16.915,16.1 16.915,17.129 16.4,17.129 17.429,18.159 18.459,17.129 17.944,17.129 17.944,16.1 16.915,16.1 " - id="polygon90" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="3.762,26.8 3.762,27.725 3.3,27.725 4.225,28.65 5.15,27.725 4.688,27.725 4.688,26.8 3.762,26.8 " - id="polygon92" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.762,26.8 3.762,27.725 3.3,27.725 4.225,28.65 5.15,27.725 4.688,27.725 4.688,26.8 3.762,26.8 " - id="polygon94" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.762,26.8 3.762,27.725 3.3,27.725 4.225,28.65 5.15,27.725 4.688,27.725 4.688,26.8 3.762,26.8 " - id="polygon96" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="1" - y="29.6" - id="text98" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">something device specific</text> - <polygon - points="3.762,30.3 3.762,31.225 3.3,31.225 4.225,32.15 5.15,31.225 4.688,31.225 4.688,30.3 3.762,30.3 " - id="polygon100" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="3.762,30.3 3.762,31.225 3.3,31.225 4.225,32.15 5.15,31.225 4.688,31.225 4.688,30.3 3.762,30.3 " - id="polygon102" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="3.762,30.3 3.762,31.225 3.3,31.225 4.225,32.15 5.15,31.225 4.688,31.225 4.688,30.3 3.762,30.3 " - id="polygon104" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="3.2" - y="33.299999" - id="text106" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">backend</text> - <polygon - points="11.65,32.413 10.625,32.413 10.625,31.9 9.6,32.925 10.625,33.95 10.625,33.438 11.65,33.438 11.65,32.413 " - id="polygon108" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="11.65,32.413 10.625,32.413 10.625,31.9 9.6,32.925 10.625,33.95 10.625,33.438 11.65,33.438 11.65,32.413 " - id="polygon110" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="11.65,32.413 10.625,32.413 10.625,31.9 9.6,32.925 10.625,33.95 10.625,33.438 11.65,33.438 11.65,32.413 " - id="polygon112" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="7.5" - height="14.3" - x="14.6" - y="19.4" - id="rect114" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="7.5" - height="14.3" - x="14.6" - y="19.4" - id="rect116" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="15.28" - y="26.6" - id="text118" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Ghostscript at work....</text> - <text - x="1.2" - y="35.5" - id="text120" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Note, that cupsomatic "kidnaps" the printfile after the</text> - <text - x="1.2" - y="36.299999" - id="text122" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">application/vnd.cups-postscript stage and deviates it gh</text> - <text - x="1.2" - y="37.099998" - id="text124" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">the CUPS-external, systemwide Ghostscript installation, bypassing the</text> - <text - x="1.2" - y="37.900002" - id="text126" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">"pstoraster" filter (therefore also bypassing the CUPS-raster-drivers</text> - <text - x="1.2" - y="38.700001" - id="text128" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">"rastertosomething", and hands the rasterized file directly to the CUPS</text> - <text - x="1.2" - y="39.5" - id="text130" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">backend...</text> - <text - x="1.2" - y="41.099998" - id="text132" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">cupsomatic is not made by the CUPS developers. It is an independent</text> - <text - x="1.2" - y="41.900002" - id="text134" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">contribution to printing development, made by people from</text> - <text - x="1.2" - y="42.700001" - id="text136" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Linuxprinting.org. (see also http://www.cups.org/cups-help.html)</text> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/domain.png b/docs/htmldocs/Samba3-HOWTO/images/domain.png Binary files differdeleted file mode 100644 index c685e64ca0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/domain.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/domain.svg b/docs/htmldocs/Samba3-HOWTO/images/domain.svg deleted file mode 100644 index aca5d4be42..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/domain.svg +++ /dev/null @@ -1,2288 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="30cm" - height="19.163cm" - viewBox="0.15 0.887 30.15 20.05" - id="svg2"> - <defs - id="defs603" /> - <ellipse - cx="15.15" - cy="11.2" - rx="14.95" - ry="8.8000002" - id="ellipse4" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.1830001" - height="6.5500002" - x="8.1999998" - y="3.9000001" - id="rect6" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.1830001" - height="6.5500002" - x="8.1999998" - y="3.9000001" - id="rect8" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.1830001" - height="6.5500002" - x="8.1999998" - y="3.9000001" - id="rect10" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.747" - height="2.6199999" - x="8.4180002" - y="4.118" - id="rect12" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="1.747" - height="2.6199999" - x="8.4180002" - y="4.118" - id="rect14" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.747" - height="2.6199999" - x="8.4180002" - y="4.118" - id="rect16" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="8.4180002" - y1="4.5549998" - x2="10.165" - y2="4.5549998" - stroke="#000000" - stroke-width="0.010" - id="line18" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.165" - y1="4.9920001" - x2="8.4180002" - y2="4.9920001" - stroke="#000000" - stroke-width="0.010" - id="line20" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.4180002" - y1="5.428" - x2="10.165" - y2="5.428" - stroke="#000000" - stroke-width="0.010" - id="line22" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.4180002" - y1="5.8649998" - x2="10.165" - y2="5.8649998" - stroke="#000000" - stroke-width="0.010" - id="line24" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.165" - y1="6.302" - x2="8.4180002" - y2="6.302" - stroke="#000000" - stroke-width="0.010" - id="line26" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="1.201" - height="0.65499997" - x="8.4180002" - y="6.9569998" - id="rect28" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="1.201" - height="0.65499997" - x="8.4180002" - y="6.9569998" - id="rect30" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.201" - height="0.65499997" - x="8.4180002" - y="6.9569998" - id="rect32" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="8.1999998" - y1="8.0480003" - x2="10.383" - y2="8.0480003" - stroke="#000000" - stroke-width="0.010" - id="line34" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.109" - height="0.109" - x="9.1820002" - y="8.2670002" - id="rect36" - style="fill:#00cd00;stroke:none;stroke-width:0" /> - <rect - width="0.109" - height="0.109" - x="9.1820002" - y="8.2670002" - id="rect38" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.109" - height="0.109" - x="9.1820002" - y="8.2670002" - id="rect40" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.109" - height="0.109" - x="9.6190004" - y="8.2670002" - id="rect42" - style="fill:#cdcd00;stroke:none;stroke-width:0" /> - <rect - width="0.109" - height="0.109" - x="9.6190004" - y="8.2670002" - id="rect44" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.109" - height="0.109" - x="9.6190004" - y="8.2670002" - id="rect46" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.109" - height="0.109" - x="10.056" - y="8.2670002" - id="rect48" - style="fill:#cd0000;stroke:none;stroke-width:0" /> - <rect - width="0.109" - height="0.109" - x="10.056" - y="8.2670002" - id="rect50" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.109" - height="0.109" - x="10.056" - y="8.2670002" - id="rect52" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.21799999" - height="0.21799999" - x="9.9469995" - y="7.612" - id="rect54" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.21799999" - height="0.21799999" - x="9.9469995" - y="7.612" - id="rect56" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.21799999" - height="0.21799999" - x="9.9469995" - y="7.612" - id="rect58" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="8.4180002" - y1="7.2839999" - x2="9.6190004" - y2="7.2839999" - stroke="#000000" - stroke-width="0.010" - id="line60" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.32800001" - height="0.32800001" - x="8.4180002" - y="8.1569996" - id="rect62" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.32800001" - height="0.32800001" - x="8.4180002" - y="8.1569996" - id="rect64" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.32800001" - height="0.32800001" - x="8.4180002" - y="8.1569996" - id="rect66" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.528" - height="0.109" - x="8.5270004" - y="6.4109998" - id="rect68" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="1.528" - height="0.109" - x="8.5270004" - y="6.4109998" - id="rect70" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.528" - height="0.109" - x="8.5270004" - y="6.4109998" - id="rect72" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="8.5270004" - y1="7.066" - x2="9.5100002" - y2="7.066" - stroke="#000000" - stroke-width="0.010" - id="line74" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="9.5100002" - y1="7.1750002" - x2="9.401" - y2="7.1750002" - stroke="#000000" - stroke-width="0.010" - id="line76" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.5270004" - y1="7.1750002" - x2="8.6370001" - y2="7.1750002" - stroke="#000000" - stroke-width="0.010" - id="line78" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.546" - height="0.109" - x="8.7460003" - y="7.066" - id="rect80" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="0.546" - height="0.109" - x="8.7460003" - y="7.066" - id="rect82" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.546" - height="0.109" - x="8.7460003" - y="7.066" - id="rect84" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="8.5270004" - y1="6.6290002" - x2="8.6370001" - y2="6.6290002" - stroke="#000000" - stroke-width="0.010" - id="line86" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.7460003" - y1="6.6290002" - x2="8.8549995" - y2="6.6290002" - stroke="#000000" - stroke-width="0.010" - id="line88" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="9.8369999" - y1="6.6290002" - x2="10.056" - y2="6.6290002" - stroke="#000000" - stroke-width="0.010" - id="line90" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.309" - y1="10.341" - x2="10.274" - y2="10.341" - stroke="#000000" - stroke-width="0.010" - id="line92" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.274" - y1="10.232" - x2="8.309" - y2="10.232" - stroke="#000000" - stroke-width="0.010" - id="line94" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.309" - y1="10.123" - x2="10.274" - y2="10.123" - stroke="#000000" - stroke-width="0.010" - id="line96" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.274" - y1="10.013" - x2="8.309" - y2="10.013" - stroke="#000000" - stroke-width="0.010" - id="line98" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.309" - y1="9.9040003" - x2="10.274" - y2="9.9040003" - stroke="#000000" - stroke-width="0.010" - id="line100" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.274" - y1="9.7950001" - x2="8.309" - y2="9.7950001" - stroke="#000000" - stroke-width="0.010" - id="line102" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.309" - y1="9.6859999" - x2="10.274" - y2="9.6859999" - stroke="#000000" - stroke-width="0.010" - id="line104" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.274" - y1="9.5769997" - x2="8.309" - y2="9.5769997" - stroke="#000000" - stroke-width="0.010" - id="line106" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.309" - y1="9.467" - x2="10.274" - y2="9.467" - stroke="#000000" - stroke-width="0.010" - id="line108" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.274" - y1="9.3579998" - x2="8.309" - y2="9.3579998" - stroke="#000000" - stroke-width="0.010" - id="line110" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.309" - y1="9.2489996" - x2="10.274" - y2="9.2489996" - stroke="#000000" - stroke-width="0.010" - id="line112" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.274" - y1="9.1400003" - x2="8.309" - y2="9.1400003" - stroke="#000000" - stroke-width="0.010" - id="line114" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="8.309" - y1="9.0310001" - x2="10.274" - y2="9.0310001" - stroke="#000000" - stroke-width="0.010" - id="line116" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="10.274" - y1="8.9219999" - x2="8.309" - y2="8.9219999" - stroke="#000000" - stroke-width="0.010" - id="line118" - style="stroke:#000000;stroke-width:0.01" /> - <text - x="4.9000001" - y="5.6999998" - id="text120" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Primary</text> - <text - x="4.9000001" - y="6.5" - id="text122" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Domain</text> - <text - x="4.9000001" - y="7.3000002" - id="text124" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Controller</text> - <rect - width="2.6359999" - height="5.2709999" - x="1.7" - y="9.1000004" - id="rect126" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.6359999" - height="5.2709999" - x="1.7" - y="9.1000004" - id="rect128" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.6359999" - height="5.2709999" - x="1.7" - y="9.1000004" - id="rect130" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="2.108" - height="2.108" - x="1.964" - y="9.3640003" - id="rect132" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.108" - height="2.108" - x="1.964" - y="9.3640003" - id="rect134" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.108" - height="2.108" - x="1.964" - y="9.3640003" - id="rect136" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="4.072" - y1="9.8909998" - x2="1.964" - y2="9.8909998" - stroke="#000000" - stroke-width="0.010" - id="line138" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="1.964" - y1="10.418" - x2="4.072" - y2="10.418" - stroke="#000000" - stroke-width="0.010" - id="line140" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="4.072" - y1="10.813" - x2="1.964" - y2="10.813" - stroke="#000000" - stroke-width="0.010" - id="line142" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="1.45" - height="0.79100001" - x="1.964" - y="11.736" - id="rect144" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="1.45" - height="0.79100001" - x="1.964" - y="11.736" - id="rect146" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.45" - height="0.79100001" - x="1.964" - y="11.736" - id="rect148" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="1.7" - y1="12.658" - x2="4.336" - y2="12.658" - stroke="#000000" - stroke-width="0.010" - id="line150" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.132" - height="0.132" - x="2.8859999" - y="12.922" - id="rect152" - style="fill:#00cd00;stroke:none;stroke-width:0" /> - <rect - width="0.132" - height="0.132" - x="2.8859999" - y="12.922" - id="rect154" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.132" - height="0.132" - x="2.8859999" - y="12.922" - id="rect156" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.132" - height="0.132" - x="3.4130001" - y="12.922" - id="rect158" - style="fill:#cdcd00;stroke:none;stroke-width:0" /> - <rect - width="0.132" - height="0.132" - x="3.4130001" - y="12.922" - id="rect160" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.132" - height="0.132" - x="3.4130001" - y="12.922" - id="rect162" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.132" - height="0.132" - x="3.9400001" - y="12.922" - id="rect164" - style="fill:#cd0000;stroke:none;stroke-width:0" /> - <rect - width="0.132" - height="0.132" - x="3.9400001" - y="12.922" - id="rect166" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.132" - height="0.132" - x="3.9400001" - y="12.922" - id="rect168" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.264" - height="0.132" - x="3.8080001" - y="12.131" - id="rect170" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.264" - height="0.132" - x="3.8080001" - y="12.131" - id="rect172" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.264" - height="0.132" - x="3.8080001" - y="12.131" - id="rect174" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="1.964" - y1="12.131" - x2="3.4130001" - y2="12.131" - stroke="#000000" - stroke-width="0.010" - id="line176" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.39500001" - height="0.39500001" - x="1.964" - y="12.79" - id="rect178" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.39500001" - height="0.39500001" - x="1.964" - y="12.79" - id="rect180" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.39500001" - height="0.39500001" - x="1.964" - y="12.79" - id="rect182" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.845" - height="0.132" - x="2.095" - y="10.945" - id="rect184" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="1.845" - height="0.132" - x="2.095" - y="10.945" - id="rect186" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.845" - height="0.132" - x="2.095" - y="10.945" - id="rect188" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="2.095" - y1="11.867" - x2="3.2809999" - y2="11.867" - stroke="#000000" - stroke-width="0.010" - id="line190" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="3.2809999" - y1="11.999" - x2="3.1500001" - y2="11.999" - stroke="#000000" - stroke-width="0.010" - id="line192" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="2.095" - y1="11.999" - x2="2.227" - y2="11.999" - stroke="#000000" - stroke-width="0.010" - id="line194" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.65899998" - height="0.132" - x="2.359" - y="11.867" - id="rect196" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="0.65899998" - height="0.132" - x="2.359" - y="11.867" - id="rect198" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.65899998" - height="0.132" - x="2.359" - y="11.867" - id="rect200" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="2.095" - y1="11.208" - x2="2.227" - y2="11.208" - stroke="#000000" - stroke-width="0.010" - id="line202" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="2.359" - y1="11.208" - x2="2.4909999" - y2="11.208" - stroke="#000000" - stroke-width="0.010" - id="line204" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="3.677" - y1="11.208" - x2="3.9400001" - y2="11.208" - stroke="#000000" - stroke-width="0.010" - id="line206" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="4.204" - y1="14.239" - x2="1.832" - y2="14.239" - stroke="#000000" - stroke-width="0.010" - id="line208" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="1.832" - y1="14.108" - x2="4.204" - y2="14.108" - stroke="#000000" - stroke-width="0.010" - id="line210" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="4.204" - y1="13.976" - x2="1.832" - y2="13.976" - stroke="#000000" - stroke-width="0.010" - id="line212" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="1.832" - y1="13.844" - x2="4.204" - y2="13.844" - stroke="#000000" - stroke-width="0.010" - id="line214" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="4.204" - y1="13.712" - x2="1.832" - y2="13.712" - stroke="#000000" - stroke-width="0.010" - id="line216" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="1.832" - y1="13.58" - x2="4.204" - y2="13.58" - stroke="#000000" - stroke-width="0.010" - id="line218" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="4.204" - y1="13.449" - x2="1.832" - y2="13.449" - stroke="#000000" - stroke-width="0.010" - id="line220" - style="stroke:#000000;stroke-width:0.01" /> - <text - x="3.5" - y="15.5" - id="text222" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Backup Domain</text> - <text - x="3.5" - y="16.299999" - id="text224" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Controller 1</text> - <rect - width="2.6359999" - height="5.2709999" - x="13.6" - y="13.5" - id="rect226" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.6359999" - height="5.2709999" - x="13.6" - y="13.5" - id="rect228" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.6359999" - height="5.2709999" - x="13.6" - y="13.5" - id="rect230" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="2.108" - height="2.108" - x="13.864" - y="13.764" - id="rect232" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.108" - height="2.108" - x="13.864" - y="13.764" - id="rect234" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.108" - height="2.108" - x="13.864" - y="13.764" - id="rect236" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="15.972" - y1="14.291" - x2="13.864" - y2="14.291" - stroke="#000000" - stroke-width="0.010" - id="line238" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="13.864" - y1="14.818" - x2="15.972" - y2="14.818" - stroke="#000000" - stroke-width="0.010" - id="line240" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="15.972" - y1="15.213" - x2="13.864" - y2="15.213" - stroke="#000000" - stroke-width="0.010" - id="line242" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="1.45" - height="0.79100001" - x="13.864" - y="16.136" - id="rect244" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="1.45" - height="0.79100001" - x="13.864" - y="16.136" - id="rect246" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.45" - height="0.79100001" - x="13.864" - y="16.136" - id="rect248" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="13.6" - y1="17.058001" - x2="16.236" - y2="17.058001" - stroke="#000000" - stroke-width="0.010" - id="line250" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.132" - height="0.132" - x="14.786" - y="17.322001" - id="rect252" - style="fill:#00cd00;stroke:none;stroke-width:0" /> - <rect - width="0.132" - height="0.132" - x="14.786" - y="17.322001" - id="rect254" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.132" - height="0.132" - x="14.786" - y="17.322001" - id="rect256" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.132" - height="0.132" - x="15.313" - y="17.322001" - id="rect258" - style="fill:#cdcd00;stroke:none;stroke-width:0" /> - <rect - width="0.132" - height="0.132" - x="15.313" - y="17.322001" - id="rect260" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.132" - height="0.132" - x="15.313" - y="17.322001" - id="rect262" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.132" - height="0.132" - x="15.84" - y="17.322001" - id="rect264" - style="fill:#cd0000;stroke:none;stroke-width:0" /> - <rect - width="0.132" - height="0.132" - x="15.84" - y="17.322001" - id="rect266" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.132" - height="0.132" - x="15.84" - y="17.322001" - id="rect268" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.264" - height="0.132" - x="15.708" - y="16.531" - id="rect270" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.264" - height="0.132" - x="15.708" - y="16.531" - id="rect272" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.264" - height="0.132" - x="15.708" - y="16.531" - id="rect274" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="13.864" - y1="16.531" - x2="15.313" - y2="16.531" - stroke="#000000" - stroke-width="0.010" - id="line276" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.39500001" - height="0.39500001" - x="13.864" - y="17.190001" - id="rect278" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.39500001" - height="0.39500001" - x="13.864" - y="17.190001" - id="rect280" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.39500001" - height="0.39500001" - x="13.864" - y="17.190001" - id="rect282" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.845" - height="0.132" - x="13.995" - y="15.345" - id="rect284" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="1.845" - height="0.132" - x="13.995" - y="15.345" - id="rect286" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.845" - height="0.132" - x="13.995" - y="15.345" - id="rect288" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="13.995" - y1="16.267" - x2="15.181" - y2="16.267" - stroke="#000000" - stroke-width="0.010" - id="line290" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="15.181" - y1="16.399" - x2="15.05" - y2="16.399" - stroke="#000000" - stroke-width="0.010" - id="line292" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="13.995" - y1="16.399" - x2="14.127" - y2="16.399" - stroke="#000000" - stroke-width="0.010" - id="line294" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.65899998" - height="0.132" - x="14.259" - y="16.267" - id="rect296" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="0.65899998" - height="0.132" - x="14.259" - y="16.267" - id="rect298" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.65899998" - height="0.132" - x="14.259" - y="16.267" - id="rect300" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="13.995" - y1="15.608" - x2="14.127" - y2="15.608" - stroke="#000000" - stroke-width="0.010" - id="line302" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="14.259" - y1="15.608" - x2="14.391" - y2="15.608" - stroke="#000000" - stroke-width="0.010" - id="line304" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="15.577" - y1="15.608" - x2="15.84" - y2="15.608" - stroke="#000000" - stroke-width="0.010" - id="line306" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="16.104" - y1="18.639" - x2="13.732" - y2="18.639" - stroke="#000000" - stroke-width="0.010" - id="line308" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="13.732" - y1="18.507999" - x2="16.104" - y2="18.507999" - stroke="#000000" - stroke-width="0.010" - id="line310" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="16.104" - y1="18.375999" - x2="13.732" - y2="18.375999" - stroke="#000000" - stroke-width="0.010" - id="line312" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="13.732" - y1="18.243999" - x2="16.104" - y2="18.243999" - stroke="#000000" - stroke-width="0.010" - id="line314" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="16.104" - y1="18.112" - x2="13.732" - y2="18.112" - stroke="#000000" - stroke-width="0.010" - id="line316" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="13.732" - y1="17.98" - x2="16.104" - y2="17.98" - stroke="#000000" - stroke-width="0.010" - id="line318" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="16.104" - y1="17.849001" - x2="13.732" - y2="17.849001" - stroke="#000000" - stroke-width="0.010" - id="line320" - style="stroke:#000000;stroke-width:0.01" /> - <text - x="16.9" - y="14.7" - id="text322" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Backup Domain</text> - <text - x="16.9" - y="15.5" - id="text324" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Controller 2</text> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="4.336,11.736 4.336,12.000 9.292,12.000 9.292,10.450 " - id="polyline326" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="14.918,13.500 14.918,11.975 9.292,11.975 9.292,10.450 " - id="polyline328" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="5.3000002" - height="1.767" - x="17.4" - y="4.9000001" - id="rect330" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="5.3000002" - height="1.767" - x="17.4" - y="4.9000001" - id="rect332" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="5.3000002" - height="1.767" - x="17.4" - y="4.9000001" - id="rect334" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="2.0190001" - height="1.01" - x="20.555" - y="5.4050002" - id="rect336" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.0190001" - height="1.01" - x="20.555" - y="5.4050002" - id="rect338" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.0190001" - height="1.01" - x="20.555" - y="5.4050002" - id="rect340" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="22.573999" - y1="5.9099998" - x2="20.555" - y2="5.9099998" - stroke="#000000" - stroke-width="0.010" - id="line342" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.37900001" - height="1.388" - x="20.049999" - y="5.026" - id="rect344" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="0.37900001" - height="1.388" - x="20.049999" - y="5.026" - id="rect346" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.37900001" - height="1.388" - x="20.049999" - y="5.026" - id="rect348" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.126" - height="0.126" - x="18.662001" - y="5.152" - id="rect350" - style="fill:#00cd00;stroke:none;stroke-width:0" /> - <rect - width="0.126" - height="0.126" - x="18.662001" - y="5.152" - id="rect352" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.126" - height="0.126" - x="18.662001" - y="5.152" - id="rect354" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.126" - height="0.126" - x="18.914" - y="5.152" - id="rect356" - style="fill:#cdcd00;stroke:none;stroke-width:0" /> - <rect - width="0.126" - height="0.126" - x="18.914" - y="5.152" - id="rect358" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.126" - height="0.126" - x="18.914" - y="5.152" - id="rect360" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.126" - height="0.126" - x="19.167" - y="5.152" - id="rect362" - style="fill:#cd0000;stroke:none;stroke-width:0" /> - <rect - width="0.126" - height="0.126" - x="19.167" - y="5.152" - id="rect364" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.126" - height="0.126" - x="19.167" - y="5.152" - id="rect366" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.252" - height="0.252" - x="19.545" - y="5.026" - id="rect368" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.252" - height="0.252" - x="19.545" - y="5.026" - id="rect370" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.252" - height="0.252" - x="19.545" - y="5.026" - id="rect372" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.37900001" - height="0.37900001" - x="17.652" - y="5.026" - id="rect374" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.37900001" - height="0.37900001" - x="17.652" - y="5.026" - id="rect376" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.37900001" - height="0.37900001" - x="17.652" - y="5.026" - id="rect378" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.767" - height="0.126" - x="20.681" - y="6.0359998" - id="rect380" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="1.767" - height="0.126" - x="20.681" - y="6.0359998" - id="rect382" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.767" - height="0.126" - x="20.681" - y="6.0359998" - id="rect384" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="20.176001" - y1="5.152" - x2="20.176001" - y2="6.2880001" - stroke="#000000" - stroke-width="0.010" - id="line386" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.126" - height="0.63099998" - x="20.176001" - y="5.4050002" - id="rect388" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="0.126" - height="0.63099998" - x="20.176001" - y="5.4050002" - id="rect390" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.126" - height="0.63099998" - x="20.176001" - y="5.4050002" - id="rect392" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="22.195" - y1="6.2880001" - x2="22.448" - y2="6.2880001" - stroke="#000000" - stroke-width="0.010" - id="line394" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.525999" - y1="5.783" - x2="19.798" - y2="5.783" - stroke="#000000" - stroke-width="0.010" - id="line396" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.798" - y1="5.9099998" - x2="17.525999" - y2="5.9099998" - stroke="#000000" - stroke-width="0.010" - id="line398" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.525999" - y1="6.0359998" - x2="19.798" - y2="6.0359998" - stroke="#000000" - stroke-width="0.010" - id="line400" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.798" - y1="6.414" - x2="17.525999" - y2="6.414" - stroke="#000000" - stroke-width="0.010" - id="line402" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.525999" - y1="6.2880001" - x2="19.798" - y2="6.2880001" - stroke="#000000" - stroke-width="0.010" - id="line404" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.798" - y1="6.1620002" - x2="17.525999" - y2="6.1620002" - stroke="#000000" - stroke-width="0.010" - id="line406" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.681" - y1="6.2880001" - x2="20.806999" - y2="6.2880001" - stroke="#000000" - stroke-width="0.010" - id="line408" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.933001" - y1="6.2880001" - x2="21.059999" - y2="6.2880001" - stroke="#000000" - stroke-width="0.010" - id="line410" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.302" - y1="6.2880001" - x2="20.302" - y2="6.1620002" - stroke="#000000" - stroke-width="0.010" - id="line412" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.302" - y1="5.2789998" - x2="20.302" - y2="5.152" - stroke="#000000" - stroke-width="0.010" - id="line414" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="5.4000001" - height="1.8" - x="17.4" - y="7.4000001" - id="rect416" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="5.4000001" - height="1.8" - x="17.4" - y="7.4000001" - id="rect418" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="5.4000001" - height="1.8" - x="17.4" - y="7.4000001" - id="rect420" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="2.0569999" - height="1.029" - x="20.614" - y="7.914" - id="rect422" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.0569999" - height="1.029" - x="20.614" - y="7.914" - id="rect424" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.0569999" - height="1.029" - x="20.614" - y="7.914" - id="rect426" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="22.671" - y1="8.4289999" - x2="20.614" - y2="8.4289999" - stroke="#000000" - stroke-width="0.010" - id="line428" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.38600001" - height="1.414" - x="20.1" - y="7.5289998" - id="rect430" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="0.38600001" - height="1.414" - x="20.1" - y="7.5289998" - id="rect432" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.38600001" - height="1.414" - x="20.1" - y="7.5289998" - id="rect434" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.12899999" - height="0.12899999" - x="18.686001" - y="7.6570001" - id="rect436" - style="fill:#00cd00;stroke:none;stroke-width:0" /> - <rect - width="0.12899999" - height="0.12899999" - x="18.686001" - y="7.6570001" - id="rect438" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.12899999" - height="0.12899999" - x="18.686001" - y="7.6570001" - id="rect440" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.12899999" - height="0.12899999" - x="18.943001" - y="7.6570001" - id="rect442" - style="fill:#cdcd00;stroke:none;stroke-width:0" /> - <rect - width="0.12899999" - height="0.12899999" - x="18.943001" - y="7.6570001" - id="rect444" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.12899999" - height="0.12899999" - x="18.943001" - y="7.6570001" - id="rect446" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.12899999" - height="0.12899999" - x="19.200001" - y="7.6570001" - id="rect448" - style="fill:#cd0000;stroke:none;stroke-width:0" /> - <rect - width="0.12899999" - height="0.12899999" - x="19.200001" - y="7.6570001" - id="rect450" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.12899999" - height="0.12899999" - x="19.200001" - y="7.6570001" - id="rect452" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.257" - height="0.257" - x="19.586" - y="7.5289998" - id="rect454" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.257" - height="0.257" - x="19.586" - y="7.5289998" - id="rect456" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.257" - height="0.257" - x="19.586" - y="7.5289998" - id="rect458" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.38600001" - height="0.38600001" - x="17.657" - y="7.5289998" - id="rect460" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.38600001" - height="0.38600001" - x="17.657" - y="7.5289998" - id="rect462" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.38600001" - height="0.38600001" - x="17.657" - y="7.5289998" - id="rect464" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.8" - height="0.12899999" - x="20.743" - y="8.5570002" - id="rect466" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="1.8" - height="0.12899999" - x="20.743" - y="8.5570002" - id="rect468" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.8" - height="0.12899999" - x="20.743" - y="8.5570002" - id="rect470" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="20.229" - y1="7.6570001" - x2="20.229" - y2="8.8140001" - stroke="#000000" - stroke-width="0.010" - id="line472" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.12899999" - height="0.64300001" - x="20.229" - y="7.914" - id="rect474" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="0.12899999" - height="0.64300001" - x="20.229" - y="7.914" - id="rect476" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.12899999" - height="0.64300001" - x="20.229" - y="7.914" - id="rect478" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="22.285999" - y1="8.8140001" - x2="22.542999" - y2="8.8140001" - stroke="#000000" - stroke-width="0.010" - id="line480" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.528999" - y1="8.3000002" - x2="19.843" - y2="8.3000002" - stroke="#000000" - stroke-width="0.010" - id="line482" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.843" - y1="8.4289999" - x2="17.528999" - y2="8.4289999" - stroke="#000000" - stroke-width="0.010" - id="line484" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.528999" - y1="8.5570002" - x2="19.843" - y2="8.5570002" - stroke="#000000" - stroke-width="0.010" - id="line486" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.843" - y1="8.9429998" - x2="17.528999" - y2="8.9429998" - stroke="#000000" - stroke-width="0.010" - id="line488" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.528999" - y1="8.8140001" - x2="19.843" - y2="8.8140001" - stroke="#000000" - stroke-width="0.010" - id="line490" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.843" - y1="8.6859999" - x2="17.528999" - y2="8.6859999" - stroke="#000000" - stroke-width="0.010" - id="line492" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.743" - y1="8.8140001" - x2="20.871" - y2="8.8140001" - stroke="#000000" - stroke-width="0.010" - id="line494" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="21" - y1="8.8140001" - x2="21.129" - y2="8.8140001" - stroke="#000000" - stroke-width="0.010" - id="line496" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.357" - y1="8.8140001" - x2="20.357" - y2="8.6859999" - stroke="#000000" - stroke-width="0.010" - id="line498" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.357" - y1="7.7859998" - x2="20.357" - y2="7.6570001" - stroke="#000000" - stroke-width="0.010" - id="line500" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="5.4499998" - height="1.817" - x="17.5" - y="9.8000002" - id="rect502" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="5.4499998" - height="1.817" - x="17.5" - y="9.8000002" - id="rect504" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="5.4499998" - height="1.817" - x="17.5" - y="9.8000002" - id="rect506" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="2.076" - height="1.038" - x="20.743999" - y="10.319" - id="rect508" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="2.076" - height="1.038" - x="20.743999" - y="10.319" - id="rect510" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="2.076" - height="1.038" - x="20.743999" - y="10.319" - id="rect512" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="22.82" - y1="10.838" - x2="20.743999" - y2="10.838" - stroke="#000000" - stroke-width="0.010" - id="line514" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.389" - height="1.427" - x="20.225" - y="9.9300003" - id="rect516" - style="fill:#d9d9cd;stroke:none;stroke-width:0" /> - <rect - width="0.389" - height="1.427" - x="20.225" - y="9.9300003" - id="rect518" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.389" - height="1.427" - x="20.225" - y="9.9300003" - id="rect520" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.13" - height="0.13" - x="18.798" - y="10.06" - id="rect522" - style="fill:#00cd00;stroke:none;stroke-width:0" /> - <rect - width="0.13" - height="0.13" - x="18.798" - y="10.06" - id="rect524" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.13" - height="0.13" - x="18.798" - y="10.06" - id="rect526" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.13" - height="0.13" - x="19.056999" - y="10.06" - id="rect528" - style="fill:#cdcd00;stroke:none;stroke-width:0" /> - <rect - width="0.13" - height="0.13" - x="19.056999" - y="10.06" - id="rect530" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.13" - height="0.13" - x="19.056999" - y="10.06" - id="rect532" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.13" - height="0.13" - x="19.316999" - y="10.06" - id="rect534" - style="fill:#cd0000;stroke:none;stroke-width:0" /> - <rect - width="0.13" - height="0.13" - x="19.316999" - y="10.06" - id="rect536" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.13" - height="0.13" - x="19.316999" - y="10.06" - id="rect538" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.25999999" - height="0.25999999" - x="19.705999" - y="9.9300003" - id="rect540" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.25999999" - height="0.25999999" - x="19.705999" - y="9.9300003" - id="rect542" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.25999999" - height="0.25999999" - x="19.705999" - y="9.9300003" - id="rect544" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.389" - height="0.389" - x="17.76" - y="9.9300003" - id="rect546" - style="fill:#cdcdbd;stroke:none;stroke-width:0" /> - <rect - width="0.389" - height="0.389" - x="17.76" - y="9.9300003" - id="rect548" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.389" - height="0.389" - x="17.76" - y="9.9300003" - id="rect550" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.817" - height="0.13" - x="20.874001" - y="10.968" - id="rect552" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="1.817" - height="0.13" - x="20.874001" - y="10.968" - id="rect554" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.817" - height="0.13" - x="20.874001" - y="10.968" - id="rect556" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="20.355" - y1="10.06" - x2="20.355" - y2="11.227" - stroke="#000000" - stroke-width="0.010" - id="line558" - style="stroke:#000000;stroke-width:0.01" /> - <rect - width="0.13" - height="0.64899999" - x="20.355" - y="10.319" - id="rect560" - style="fill:#cdcdc1;stroke:none;stroke-width:0" /> - <rect - width="0.13" - height="0.64899999" - x="20.355" - y="10.319" - id="rect562" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="0.13" - height="0.64899999" - x="20.355" - y="10.319" - id="rect564" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <line - x1="22.431" - y1="11.227" - x2="22.690001" - y2="11.227" - stroke="#000000" - stroke-width="0.010" - id="line566" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.629999" - y1="10.708" - x2="19.965" - y2="10.708" - stroke="#000000" - stroke-width="0.010" - id="line568" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.965" - y1="10.838" - x2="17.629999" - y2="10.838" - stroke="#000000" - stroke-width="0.010" - id="line570" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.629999" - y1="10.968" - x2="19.965" - y2="10.968" - stroke="#000000" - stroke-width="0.010" - id="line572" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.965" - y1="11.357" - x2="17.629999" - y2="11.357" - stroke="#000000" - stroke-width="0.010" - id="line574" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="17.629999" - y1="11.227" - x2="19.965" - y2="11.227" - stroke="#000000" - stroke-width="0.010" - id="line576" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="19.965" - y1="11.098" - x2="17.629999" - y2="11.098" - stroke="#000000" - stroke-width="0.010" - id="line578" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.874001" - y1="11.227" - x2="21.004" - y2="11.227" - stroke="#000000" - stroke-width="0.010" - id="line580" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="21.132999" - y1="11.227" - x2="21.263" - y2="11.227" - stroke="#000000" - stroke-width="0.010" - id="line582" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.485001" - y1="11.227" - x2="20.485001" - y2="11.098" - stroke="#000000" - stroke-width="0.010" - id="line584" - style="stroke:#000000;stroke-width:0.01" /> - <line - x1="20.485001" - y1="10.189" - x2="20.485001" - y2="10.06" - stroke="#000000" - stroke-width="0.010" - id="line586" - style="stroke:#000000;stroke-width:0.01" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="9.300,12.000 13.992,12.000 13.992,5.783 17.400,5.783 " - id="polyline588" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="17.400,8.300 14.000,8.300 14.000,12.000 10.200,12.000 " - id="polyline590" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="17.500,10.708 14.000,10.708 14.000,12.000 10.300,12.000 " - id="polyline592" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="17.700001" - y="4.3000002" - id="text594" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Workstation A</text> - <text - x="23.799999" - y="8.6000004" - id="text596" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Workstation B</text> - <text - x="23.799999" - y="10.9" - id="text598" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Workstation C</text> - <text - x="13.1" - y="1.7" - id="text600" - style="font-size:1.20000005px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">DOMAIN</text> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/ethereal1.png b/docs/htmldocs/Samba3-HOWTO/images/ethereal1.png Binary files differdeleted file mode 100644 index c8655389d0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/ethereal1.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/ethereal2.png b/docs/htmldocs/Samba3-HOWTO/images/ethereal2.png Binary files differdeleted file mode 100644 index f366772d3b..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/ethereal2.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.png Binary files differdeleted file mode 100644 index 65d04a7974..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.svg b/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.svg deleted file mode 100644 index 61181b75c8..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-gid2sid.svg +++ /dev/null @@ -1,277 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="24.174cm" - height="19.486cm" - viewBox="-0.49 0.171 23.684 19.657" - id="svg2"> - <defs - id="defs97" /> - <path - d="M 3.333,0.221 L 5.667,0.221 C 5.989,0.221 6.25,0.626 6.25,1.125 C 6.25,1.624 5.989,2.029 5.667,2.029 L 3.333,2.029 C 3.011,2.029 2.75,1.624 2.75,1.125 C 2.75,0.626 3.011,0.221 3.333,0.221" - id="path4" - style="fill:#c9c9c9;stroke:none;stroke-width:0.1" /> - <path - d="M 3.333,0.221 L 5.667,0.221 C 5.989,0.221 6.25,0.626 6.25,1.125 C 6.25,1.624 5.989,2.029 5.667,2.029 L 3.333,2.029 C 3.011,2.029 2.75,1.624 2.75,1.125 C 2.75,0.626 3.011,0.221 3.333,0.221" - id="path6" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="3.7609999" - y="1.303" - id="text8" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">GID</text> - <line - x1="4.5040002" - y1="5.5" - x2="4.5019999" - y2="6.1500001" - stroke="#000000" - stroke-width="0.100" - id="line10" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.102,6.149 4.5,6.95 4.902,6.151 4.102,6.149 " - id="polygon12" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 5.883,16.8 L 9.117,16.8 C 9.564,16.8 9.926,17.428 9.926,18.204 C 9.926,18.979 9.564,19.607 9.117,19.607 L 5.883,19.607 C 5.436,19.607 5.074,18.979 5.074,18.204 C 5.074,17.428 5.436,16.8 5.883,16.8" - id="path14" - style="fill:#d5d5d5;stroke:none;stroke-width:0.1" /> - <path - d="M 5.883,16.8 L 9.117,16.8 C 9.564,16.8 9.926,17.428 9.926,18.204 C 9.926,18.979 9.564,19.607 9.117,19.607 L 5.883,19.607 C 5.436,19.607 5.074,18.979 5.074,18.204 C 5.074,17.428 5.436,16.8 5.883,16.8" - id="path16" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="6.2859998" - y="17.881001" - id="text18" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">group</text> - <text - x="6.7989998" - y="18.881001" - id="text20" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">SID</text> - <path - d="M 16.083,11.65 L 18.417,11.65 C 18.739,11.65 19,12.055 19,12.554 C 19,13.053 18.739,13.457 18.417,13.457 L 16.083,13.457 C 15.761,13.457 15.5,13.053 15.5,12.554 C 15.5,12.055 15.761,11.65 16.083,11.65" - id="path22" - style="fill:#dbd8d8;stroke:none;stroke-width:0.1" /> - <path - d="M 16.083,11.65 L 18.417,11.65 C 18.739,11.65 19,12.055 19,12.554 C 19,13.053 18.739,13.457 18.417,13.457 L 16.083,13.457 C 15.761,13.457 15.5,13.053 15.5,12.554 C 15.5,12.055 15.761,11.65 16.083,11.65" - id="path24" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="16.525999" - y="12.731" - id="text26" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Fail</text> - <line - x1="13" - y1="12.5" - x2="14.65" - y2="12.5" - stroke="#000000" - stroke-width="0.100" - id="line28" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="14.65,12.9 15.45,12.5 14.65,12.1 14.65,12.9 " - id="polygon30" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="11,11 13,12.5 11,14 9,12.5 11,11 " - id="polygon32" - style="fill:#abfafe;stroke:none;stroke-width:0.1" /> - <polygon - points="11,11 13,12.5 11,14 9,12.5 11,11 " - id="polygon34" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="9.5229998" - y="12.75" - id="text36" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Found?</text> - <text - x="11.531" - y="15" - id="text38" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <line - x1="10.989" - y1="9.3999996" - x2="10.994" - y2="10.15" - stroke="#000000" - stroke-width="0.100" - id="line40" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="10.594,10.153 11,10.95 11.394,10.147 10.594,10.153 " - id="polygon42" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <text - x="13.104" - y="12.25" - id="text44" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="7.5" - y1="15.25" - x2="7.5" - y2="15.95" - stroke="#000000" - stroke-width="0.100" - id="line46" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="7.1,15.95 7.5,16.75 7.9,15.95 7.1,15.95 " - id="polygon48" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="4.5,7 6.5,8.5 4.5,10 2.5,8.5 4.5,7 " - id="polygon50" - style="fill:#c5effb;stroke:none;stroke-width:0.1" /> - <polygon - points="4.5,7 6.5,8.5 4.5,10 2.5,8.5 4.5,7 " - id="polygon52" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="3.0220001" - y="8.75" - id="text54" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Found?</text> - <text - x="5.0310001" - y="10.75" - id="text56" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <line - x1="4.5" - y1="2.029" - x2="4.5009999" - y2="2.55" - stroke="#000000" - stroke-width="0.100" - id="line58" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.101,2.551 4.503,3.35 4.901,2.549 4.101,2.551 " - id="polygon60" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <text - x="6.6040001" - y="8.25" - id="text62" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="6.5" - y1="8.5" - x2="8.1499996" - y2="8.5" - stroke="#000000" - stroke-width="0.100" - id="line64" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="8.15,8.9 8.95,8.5 8.15,8.1 8.15,8.9 " - id="polygon66" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <rect - width="4.4899998" - height="2.0999999" - x="8.7440004" - y="7.4000001" - id="rect68" - style="fill:#d5d5d5;stroke:none;stroke-width:0" /> - <rect - width="4.4899998" - height="2.0999999" - x="8.7440004" - y="7.4000001" - id="rect70" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="9.2939997" - y="8.6280003" - id="text72" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Winbind</text> - <line - x1="13.25" - y1="8.75" - x2="15.25" - y2="9.5" - stroke="#000000" - stroke-width="0.050" - id="line74" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="13.25" - y1="8.25" - x2="15.25" - y2="7.5" - stroke="#000000" - stroke-width="0.050" - id="line76" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="8" - height="2" - x="15.5" - y="7.5" - id="rect78" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="8" - height="2" - x="15.5" - y="7.5" - id="rect80" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="15.316" - y="8.25" - id="text82" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">winbindd_idmap.tdb</text> - <text - x="17.761999" - y="9.25" - id="text84" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam</text> - <line - x1="23.5" - y1="8.5" - x2="15.5" - y2="8.5" - stroke="#000000" - stroke-width="0.050" - id="line86" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="9.8870001" - height="2.0999999" - x="-0.44" - y="3.4000001" - id="rect88" - style="fill:#dcdcdc;stroke:none;stroke-width:0" /> - <rect - width="9.8870001" - height="2.0999999" - x="-0.44" - y="3.4000001" - id="rect90" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="0.11" - y="4.6269999" - id="text92" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">groupmap_idmap.tdb</text> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="4.500,10.000 4.500,15.250 11.000,15.250 11.000,14.000 " - id="polyline94" - style="fill:none;stroke:#000000;stroke-width:0.1" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-groups.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-groups.png Binary files differdeleted file mode 100644 index 7fc9ccb926..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-groups.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-groups.svg b/docs/htmldocs/Samba3-HOWTO/images/idmap-groups.svg deleted file mode 100644 index 58b1dc6be6..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-groups.svg +++ /dev/null @@ -1,129 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="9.6999998cm" - height="17.848cm" - viewBox="2.95 0.95 12.65 18.798" - id="svg2"> - <defs - id="defs49" /> - <text - x="3.7" - y="1.9" - id="text4" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Grou</text> - <text - x="3.7" - y="2" - id="text6" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">group</text> - <rect - width="9.6000004" - height="3" - x="3" - y="1" - id="rect8" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="9.6000004" - height="3" - x="3" - y="1" - id="rect10" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="9.5500002" - height="3.3" - x="3" - y="15.4" - id="rect12" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="9.5500002" - height="3.3" - x="3" - y="15.4" - id="rect14" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="9.5500002" - height="3.5" - x="3" - y="8" - id="rect16" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="9.5500002" - height="3.5" - x="3" - y="8" - id="rect18" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="3.75" - y="2.05" - id="text20" - style="font-size:0.80000001px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:sans">group_mapping tdb</text> - <text - x="3.6500001" - y="3.5" - id="text22" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">contains samba groups</text> - <text - x="5.5999999" - y="9.0620003" - id="text24" - style="font-size:0.80000001px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:sans">idmap gid</text> - <text - x="4.25" - y="10.25" - id="text26" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">maps UNIX groups to</text> - <text - x="4.25" - y="11.05" - id="text28" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">samba groups</text> - <text - x="5.0500002" - y="16.5" - id="text30" - style="font-size:0.80000001px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:sans">UNIX groups</text> - <text - x="4.8499999" - y="17.6" - id="text32" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">/etc/group or other</text> - <text - x="4.8499999" - y="18.4" - id="text34" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">NSS backend</text> - <polygon - points="7.183,6.963 7.183,5.01 6.694,5.01 7.671,4.034 8.647,5.01 8.159,5.01 8.159,6.963 8.647,6.963 7.671,7.939 6.694,6.963 7.183,6.963 " - id="polygon36" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="7.183,6.963 7.183,5.01 6.694,5.01 7.671,4.034 8.647,5.01 8.159,5.01 8.159,6.963 8.647,6.963 7.671,7.939 6.694,6.963 7.183,6.963 " - id="polygon38" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="7.183,6.963 7.183,5.01 6.694,5.01 7.671,4.034 8.647,5.01 8.159,5.01 8.159,6.963 8.647,6.963 7.671,7.939 6.694,6.963 7.183,6.963 " - id="polygon40" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="7.196,14.421 7.196,12.521 6.721,12.521 7.671,11.571 8.621,12.521 8.146,12.521 8.146,14.421 8.621,14.421 7.671,15.371 6.721,14.421 7.196,14.421 " - id="polygon42" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="7.196,14.421 7.196,12.521 6.721,12.521 7.671,11.571 8.621,12.521 8.146,12.521 8.146,14.421 8.621,14.421 7.671,15.371 6.721,14.421 7.196,14.421 " - id="polygon44" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="7.196,14.421 7.196,12.521 6.721,12.521 7.671,11.571 8.621,12.521 8.146,12.521 8.146,14.421 8.621,14.421 7.671,15.371 6.721,14.421 7.196,14.421 " - id="polygon46" - style="fill:none;stroke:#000000;stroke-width:0.01" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.png Binary files differdeleted file mode 100644 index e3847de4d0..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.svg b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.svg deleted file mode 100644 index 95944e9851..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2gid.svg +++ /dev/null @@ -1,277 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="23.674999cm" - height="19.329cm" - viewBox="-0.492 0 23.184 19.329" - id="svg2"> - <defs - id="defs97" /> - <path - d="M 6.333,17.471 L 8.667,17.471 C 8.989,17.471 9.25,17.876 9.25,18.375 C 9.25,18.874 8.989,19.279 8.667,19.279 L 6.333,19.279 C 6.011,19.279 5.75,18.874 5.75,18.375 C 5.75,17.876 6.011,17.471 6.333,17.471" - id="path4" - style="fill:#dcdcdc;stroke:none;stroke-width:0.1" /> - <path - d="M 6.333,17.471 L 8.667,17.471 C 8.989,17.471 9.25,17.876 9.25,18.375 C 9.25,18.874 8.989,19.279 8.667,19.279 L 6.333,19.279 C 6.011,19.279 5.75,18.874 5.75,18.375 C 5.75,17.876 6.011,17.471 6.333,17.471" - id="path6" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="6.7610002" - y="18.552" - id="text8" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">GID</text> - <line - x1="4.5019999" - y1="6" - x2="4.5009999" - y2="6.6500001" - stroke="#000000" - stroke-width="0.100" - id="line10" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.101,6.649 4.5,7.45 4.901,6.651 4.101,6.649 " - id="polygon12" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 2.883,0.05 L 6.117,0.05 C 6.564,0.05 6.926,0.678 6.926,1.454 C 6.926,2.229 6.564,2.857 6.117,2.857 L 2.883,2.857 C 2.436,2.857 2.074,2.229 2.074,1.454 C 2.074,0.678 2.436,0.05 2.883,0.05" - id="path14" - style="fill:#cfcfcf;stroke:none;stroke-width:0.1" /> - <path - d="M 2.883,0.05 L 6.117,0.05 C 6.564,0.05 6.926,0.678 6.926,1.454 C 6.926,2.229 6.564,2.857 6.117,2.857 L 2.883,2.857 C 2.436,2.857 2.074,2.229 2.074,1.454 C 2.074,0.678 2.436,0.05 2.883,0.05" - id="path16" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="3.286" - y="1.131" - id="text18" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">group</text> - <text - x="3.799" - y="2.131" - id="text20" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">SID</text> - <path - d="M 15.181,12.15 L 17.435,12.15 C 17.746,12.15 17.999,12.555 17.999,13.054 C 17.999,13.553 17.746,13.957 17.435,13.957 L 15.181,13.957 C 14.869,13.957 14.617,13.553 14.617,13.054 C 14.617,12.555 14.869,12.15 15.181,12.15" - id="path22" - style="fill:#dcdcdc;stroke:none;stroke-width:0.1" /> - <path - d="M 15.181,12.15 L 17.435,12.15 C 17.746,12.15 17.999,12.555 17.999,13.054 C 17.999,13.553 17.746,13.957 17.435,13.957 L 15.181,13.957 C 14.869,13.957 14.617,13.553 14.617,13.054 C 14.617,12.555 14.869,12.15 15.181,12.15" - id="path24" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="15.584" - y="13.231" - id="text26" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Fail</text> - <line - x1="12.5" - y1="13" - x2="13.9" - y2="13" - stroke="#000000" - stroke-width="0.100" - id="line28" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="13.9,13.4 14.7,13 13.9,12.6 13.9,13.4 " - id="polygon30" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="10.5,11.5 12.5,13 10.5,14.5 8.5,13 10.5,11.5 " - id="polygon32" - style="fill:#bef2ff;stroke:none;stroke-width:0.1" /> - <polygon - points="10.5,11.5 12.5,13 10.5,14.5 8.5,13 10.5,11.5 " - id="polygon34" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="9.0229998" - y="13.25" - id="text36" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Found?</text> - <text - x="11.031" - y="15.5" - id="text38" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <line - x1="10.489" - y1="10" - x2="10.494" - y2="10.65" - stroke="#000000" - stroke-width="0.100" - id="line40" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="10.094,10.653 10.5,11.45 10.894,10.647 10.094,10.653 " - id="polygon42" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <text - x="12.604" - y="12.75" - id="text44" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="7.5" - y1="15.75" - x2="7.5" - y2="16.65" - stroke="#000000" - stroke-width="0.100" - id="line46" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="7.1,16.65 7.5,17.45 7.9,16.65 7.1,16.65 " - id="polygon48" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <polygon - points="4.5,7.5 6.5,9 4.5,10.5 2.5,9 4.5,7.5 " - id="polygon50" - style="fill:#acedff;stroke:none;stroke-width:0.1" /> - <polygon - points="4.5,7.5 6.5,9 4.5,10.5 2.5,9 4.5,7.5 " - id="polygon52" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="3.0220001" - y="9.25" - id="text54" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Found?</text> - <text - x="5.0310001" - y="11.25" - id="text56" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <line - x1="4.5" - y1="2.8570001" - x2="4.5" - y2="3.05" - stroke="#000000" - stroke-width="0.100" - id="line58" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.1,3.051 4.502,3.85 4.9,3.049 4.1,3.051 " - id="polygon60" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <text - x="6.6040001" - y="8.75" - id="text62" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="6.5" - y1="9" - x2="7.6500001" - y2="9" - stroke="#000000" - stroke-width="0.100" - id="line64" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="7.65,9.4 8.45,9 7.65,8.6 7.65,9.4 " - id="polygon66" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <rect - width="4.4899998" - height="2.0999999" - x="8.2440004" - y="7.9000001" - id="rect68" - style="fill:#dcdcdc;stroke:none;stroke-width:0" /> - <rect - width="4.4899998" - height="2.0999999" - x="8.2440004" - y="7.9000001" - id="rect70" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="8.7939997" - y="9.1280003" - id="text72" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Winbind</text> - <line - x1="12.75" - y1="9.25" - x2="14.75" - y2="10" - stroke="#000000" - stroke-width="0.050" - id="line74" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="12.75" - y1="8.75" - x2="14.75" - y2="8" - stroke="#000000" - stroke-width="0.050" - id="line76" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="8" - height="2" - x="15" - y="8" - id="rect78" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="8" - height="2" - x="15" - y="8" - id="rect80" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="14.816" - y="8.75" - id="text82" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">winbindd_idmap.tdb</text> - <text - x="17.261999" - y="9.75" - id="text84" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam</text> - <line - x1="23" - y1="9" - x2="15" - y2="9" - stroke="#000000" - stroke-width="0.050" - id="line86" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="9.8870001" - height="2.0999999" - x="-0.442" - y="3.9000001" - id="rect88" - style="fill:#d3d3d3;stroke:none;stroke-width:0" /> - <rect - width="9.8870001" - height="2.0999999" - x="-0.442" - y="3.9000001" - id="rect90" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="0.108" - y="5.1269999" - id="text92" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">groupmap_idmap.tdb</text> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="4.500,10.500 4.500,15.500 10.500,15.500 10.500,14.500 " - id="polyline94" - style="fill:none;stroke:#000000;stroke-width:0.1" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.png Binary files differdeleted file mode 100644 index 91bd3d79de..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.svg b/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.svg deleted file mode 100644 index 84faf099f6..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-sid2uid.svg +++ /dev/null @@ -1,365 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="33.234001cm" - height="20.391001cm" - viewBox="0.066 0.921 33.3 21.312" - id="svg2"> - <defs - id="defs121" /> - <line - x1="12.5" - y1="2.779" - x2="12.5" - y2="4.9000001" - stroke="#000000" - stroke-width="0.100" - id="line4" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="12.1,4.9 12.5,5.7 12.9,4.9 12.1,4.9 " - id="polygon6" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 11.333,0.971 L 13.667,0.971 C 13.989,0.971 14.25,1.376 14.25,1.875 C 14.25,2.374 13.989,2.779 13.667,2.779 L 11.333,2.779 C 11.011,2.779 10.75,2.374 10.75,1.875 C 10.75,1.376 11.011,0.971 11.333,0.971" - id="path8" - style="fill:#d9d9d9;stroke:none;stroke-width:0.1" /> - <path - d="M 11.333,0.971 L 13.667,0.971 C 13.989,0.971 14.25,1.376 14.25,1.875 C 14.25,2.374 13.989,2.779 13.667,2.779 L 11.333,2.779 C 11.011,2.779 10.75,2.374 10.75,1.875 C 10.75,1.376 11.011,0.971 11.333,0.971" - id="path10" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="11.799" - y="2.053" - id="text12" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">SID</text> - <polygon - points="12.5,5.75 15.5,7.75 12.5,9.75 9.5,7.75 12.5,5.75 " - id="polygon14" - style="fill:#aff3f6;stroke:none;stroke-width:0.1" /> - <polygon - points="12.5,5.75 15.5,7.75 12.5,9.75 9.5,7.75 12.5,5.75 " - id="polygon16" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="9.8459997" - y="8" - id="text18" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Our Domain?</text> - <line - x1="15.5" - y1="7.75" - x2="17.65" - y2="7.75" - stroke="#000000" - stroke-width="0.100" - id="line20" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="17.65,8.15 18.45,7.75 17.65,7.35 17.65,8.15 " - id="polygon22" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <text - x="16.031" - y="7.5" - id="text24" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <line - x1="12.5" - y1="9.75" - x2="12.493" - y2="11.55" - stroke="#000000" - stroke-width="0.100" - id="line26" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="12.093,11.548 12.49,12.35 12.893,11.552 12.093,11.548 " - id="polygon28" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <text - x="12.854" - y="10.75" - id="text30" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="16.5" - y1="15.25" - x2="16.5" - y2="17.4" - stroke="#000000" - stroke-width="0.100" - id="line32" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="16.1,17.4 16.5,18.2 16.9,17.4 16.1,17.4 " - id="polygon34" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 21.833,18.9 L 24.167,18.9 C 24.489,18.9 24.75,19.305 24.75,19.804 C 24.75,20.303 24.489,20.707 24.167,20.707 L 21.833,20.707 C 21.511,20.707 21.25,20.303 21.25,19.804 C 21.25,19.305 21.511,18.9 21.833,18.9" - id="path36" - style="fill:#d9d9d9;stroke:none;stroke-width:0.1" /> - <path - d="M 21.833,18.9 L 24.167,18.9 C 24.489,18.9 24.75,19.305 24.75,19.804 C 24.75,20.303 24.489,20.707 24.167,20.707 L 21.833,20.707 C 21.511,20.707 21.25,20.303 21.25,19.804 C 21.25,19.305 21.511,18.9 21.833,18.9" - id="path38" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="22.264999" - y="19.981001" - id="text40" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">UID</text> - <polygon - points="16.5,18.25 18.5,19.75 16.5,21.25 14.5,19.75 16.5,18.25 " - id="polygon42" - style="fill:#a1fdfb;stroke:none;stroke-width:0.1" /> - <polygon - points="16.5,18.25 18.5,19.75 16.5,21.25 14.5,19.75 16.5,18.25 " - id="polygon44" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="15.023" - y="20" - id="text46" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Found?</text> - <text - x="18.781" - y="19.5" - id="text48" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <text - x="13.354" - y="19.5" - id="text50" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="18.5" - y1="19.75" - x2="20.4" - y2="19.75" - stroke="#000000" - stroke-width="0.100" - id="line52" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="20.4,20.15 21.2,19.75 20.4,19.35 20.4,20.15 " - id="polygon54" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <line - x1="14.5" - y1="19.75" - x2="12.6" - y2="19.75" - stroke="#000000" - stroke-width="0.100" - id="line56" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="12.6,19.35 11.8,19.75 12.6,20.15 12.6,19.35 " - id="polygon58" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 8.833,18.9 L 11.167,18.9 C 11.489,18.9 11.75,19.305 11.75,19.804 C 11.75,20.303 11.489,20.707 11.167,20.707 L 8.833,20.707 C 8.511,20.707 8.25,20.303 8.25,19.804 C 8.25,19.305 8.511,18.9 8.833,18.9" - id="path60" - style="fill:#d7d7d7;stroke:none;stroke-width:0.1" /> - <path - d="M 8.833,18.9 L 11.167,18.9 C 11.489,18.9 11.75,19.305 11.75,19.804 C 11.75,20.303 11.489,20.707 11.167,20.707 L 8.833,20.707 C 8.511,20.707 8.25,20.303 8.25,19.804 C 8.25,19.305 8.511,18.9 8.833,18.9" - id="path62" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="9.276" - y="19.981001" - id="text64" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Fail</text> - <rect - width="4.1399999" - height="2.0999999" - x="18.419001" - y="6.6500001" - id="rect66" - style="fill:#d9d6d6;stroke:none;stroke-width:0" /> - <rect - width="4.1399999" - height="2.0999999" - x="18.419001" - y="6.6500001" - id="rect68" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="18.969" - y="7.8779998" - id="text70" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">PassDB</text> - <line - x1="22.75" - y1="6.5" - x2="25" - y2="5.25" - stroke="#000000" - stroke-width="0.050" - id="line72" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="22.75" - y1="8.75" - x2="25" - y2="10" - stroke="#000000" - stroke-width="0.050" - id="line74" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="8" - height="5.25" - x="25.25" - y="5" - id="rect76" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="8" - height="5.25" - x="25.25" - y="5" - id="rect78" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="28.089001" - y="5.75" - id="text80" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">guest</text> - <text - x="26.85" - y="6.75" - id="text82" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">smbpasswd</text> - <text - x="27.709" - y="7.75" - id="text84" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">tdbsam</text> - <text - x="27.511999" - y="8.75" - id="text86" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam</text> - <text - x="25.799999" - y="9.75" - id="text88" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam_compat</text> - <line - x1="25.25" - y1="6" - x2="33.25" - y2="6" - stroke="#000000" - stroke-width="0.050" - id="line90" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="25.25" - y1="7" - x2="33.25" - y2="7" - stroke="#000000" - stroke-width="0.050" - id="line92" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="25.25" - y1="8" - x2="33.25" - y2="8" - stroke="#000000" - stroke-width="0.050" - id="line94" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="25.25" - y1="9" - x2="33.25" - y2="9" - stroke="#000000" - stroke-width="0.050" - id="line96" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="4.4899998" - height="2.0999999" - x="10.244" - y="12.4" - id="rect98" - style="fill:#d7d7d7;stroke:none;stroke-width:0" /> - <rect - width="4.4899998" - height="2.0999999" - x="10.244" - y="12.4" - id="rect100" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="10.794" - y="13.628" - id="text102" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Winbind</text> - <rect - width="7.5" - height="2.75" - x="0.5" - y="12" - id="rect104" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="7.5" - height="2.75" - x="0.5" - y="12" - id="rect106" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="0.066" - y="13" - id="text108" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">winbindd_idmap.tdb</text> - <text - x="2.513" - y="14.25" - id="text110" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam</text> - <line - x1="8" - y1="13.375" - x2="0.5" - y2="13.375" - stroke="#000000" - stroke-width="0.050" - id="line112" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="8.25" - y1="12" - x2="10.25" - y2="12.75" - stroke="#000000" - stroke-width="0.050" - id="line114" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="8.25" - y1="14.75" - x2="10.25" - y2="14" - stroke="#000000" - stroke-width="0.050" - id="line116" - style="stroke:#000000;stroke-width:0.05" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="12.489,14.500 12.489,15.500 20.489,15.500 20.489,8.750 " - id="polyline118" - style="fill:none;stroke:#000000;stroke-width:0.1" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.png Binary files differdeleted file mode 100644 index 386f024985..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.svg b/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.svg deleted file mode 100644 index bf15504974..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-store-gid2sid.svg +++ /dev/null @@ -1,122 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="26.294001cm" - height="2.4000001cm" - viewBox="0.45 1.35 26.744 3.75" - id="svg2"> - <defs - id="defs41" /> - <path - d="M 13.02,1.721 L 15.23,1.721 C 15.535,1.721 15.782,2.126 15.782,2.625 C 15.782,3.124 15.535,3.529 15.23,3.529 L 13.02,3.529 C 12.715,3.529 12.468,3.124 12.468,2.625 C 12.468,2.126 12.715,1.721 13.02,1.721" - id="path4" - style="fill:#d7d7d7;stroke:none;stroke-width:0.1" /> - <path - d="M 13.02,1.721 L 15.23,1.721 C 15.535,1.721 15.782,2.126 15.782,2.625 C 15.782,3.124 15.535,3.529 15.23,3.529 L 13.02,3.529 C 12.715,3.529 12.468,3.124 12.468,2.625 C 12.468,2.126 12.715,1.721 13.02,1.721" - id="path6" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="13.424" - y="2.803" - id="text8" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">SID</text> - <path - d="M 1.083,1.65 L 3.417,1.65 C 3.739,1.65 4,2.055 4,2.554 C 4,3.053 3.739,3.457 3.417,3.457 L 1.083,3.457 C 0.761,3.457 0.5,3.053 0.5,2.554 C 0.5,2.055 0.761,1.65 1.083,1.65" - id="path10" - style="fill:#d7d7d7;stroke:none;stroke-width:0.1" /> - <path - d="M 1.083,1.65 L 3.417,1.65 C 3.739,1.65 4,2.055 4,2.554 C 4,3.053 3.739,3.457 3.417,3.457 L 1.083,3.457 C 0.761,3.457 0.5,3.053 0.5,2.554 C 0.5,2.055 0.761,1.65 1.083,1.65" - id="path12" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="1.511" - y="2.7309999" - id="text14" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">GID</text> - <line - x1="16" - y1="3" - x2="18" - y2="3.5" - stroke="#000000" - stroke-width="0.050" - id="line16" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="16" - y1="2" - x2="18" - y2="1.5" - stroke="#000000" - stroke-width="0.050" - id="line18" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="4" - y1="2.5539999" - x2="11.65" - y2="2.618" - stroke="#000000" - stroke-width="0.100" - id="line20" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="11.647,3.018 12.45,2.625 11.653,2.218 11.647,3.018 " - id="polygon22" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <rect - width="6.9219999" - height="2.0999999" - x="4.572" - y="1.4" - id="rect24" - style="fill:#d7d7d7;stroke:none;stroke-width:0" /> - <rect - width="6.9219999" - height="2.0999999" - x="4.572" - y="1.4" - id="rect26" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="5.1220002" - y="2.6270001" - id="text28" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">net groupmap</text> - <rect - width="8.1999998" - height="2.2" - x="18.25" - y="1.5" - id="rect30" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="8.1999998" - height="2.2" - x="18.25" - y="1.5" - id="rect32" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="20.511999" - y="2.25" - id="text34" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam</text> - <text - x="17.955999" - y="3.2" - id="text36" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">groupmap_idmap.tdb</text> - <line - x1="26.549999" - y1="2.45" - x2="18.35" - y2="2.45" - stroke="#000000" - stroke-width="0.050" - id="line38" - style="stroke:#000000;stroke-width:0.05" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.png b/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.png Binary files differdeleted file mode 100644 index d8519b85b7..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.svg b/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.svg deleted file mode 100644 index 13aca9cf70..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap-uid2sid.svg +++ /dev/null @@ -1,365 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="21.431cm" - height="23.086cm" - viewBox="10.369 0.921 31.8 24.007" - id="svg2"> - <defs - id="defs121" /> - <line - x1="19.25" - y1="12.75" - x2="19.25" - y2="14.15" - stroke="#000000" - stroke-width="0.100" - id="line4" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="18.85,14.15 19.25,14.95 19.65,14.15 18.85,14.15 " - id="polygon6" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <line - x1="12.5" - y1="2.779" - x2="12.5" - y2="4.6500001" - stroke="#000000" - stroke-width="0.100" - id="line8" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="12.1,4.65 12.5,5.45 12.9,4.65 12.1,4.65 " - id="polygon10" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 11.333,0.971 L 13.667,0.971 C 13.989,0.971 14.25,1.376 14.25,1.875 C 14.25,2.374 13.989,2.779 13.667,2.779 L 11.333,2.779 C 11.011,2.779 10.75,2.374 10.75,1.875 C 10.75,1.376 11.011,0.971 11.333,0.971" - id="path12" - style="fill:#dcdcdc;stroke:none;stroke-width:0.1" /> - <path - d="M 11.333,0.971 L 13.667,0.971 C 13.989,0.971 14.25,1.376 14.25,1.875 C 14.25,2.374 13.989,2.779 13.667,2.779 L 11.333,2.779 C 11.011,2.779 10.75,2.374 10.75,1.875 C 10.75,1.376 11.011,0.971 11.333,0.971" - id="path14" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="11.765" - y="2.053" - id="text16" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">UID</text> - <line - x1="12.489" - y1="7.5" - x2="12.497" - y2="9.6499996" - stroke="#000000" - stroke-width="0.100" - id="line18" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="12.097,9.651 12.5,10.45 12.897,9.649 12.097,9.651 " - id="polygon20" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 14.833,22.15 L 17.167,22.15 C 17.489,22.15 17.75,22.555 17.75,23.054 C 17.75,23.553 17.489,23.957 17.167,23.957 L 14.833,23.957 C 14.511,23.957 14.25,23.553 14.25,23.054 C 14.25,22.555 14.511,22.15 14.833,22.15" - id="path22" - style="fill:#d5d5d5;stroke:none;stroke-width:0.1" /> - <path - d="M 14.833,22.15 L 17.167,22.15 C 17.489,22.15 17.75,22.555 17.75,23.054 C 17.75,23.553 17.489,23.957 17.167,23.957 L 14.833,23.957 C 14.511,23.957 14.25,23.553 14.25,23.054 C 14.25,22.555 14.511,22.15 14.833,22.15" - id="path24" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="15.299" - y="23.231001" - id="text26" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">SID</text> - <polygon - points="12.5,10.5 14.5,12 12.5,13.5 10.5,12 12.5,10.5 " - id="polygon28" - style="fill:#b8f5fc;stroke:none;stroke-width:0.1" /> - <polygon - points="12.5,10.5 14.5,12 12.5,13.5 10.5,12 12.5,10.5 " - id="polygon30" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="11.023" - y="12.25" - id="text32" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Found?</text> - <text - x="13.031" - y="14.5" - id="text34" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <text - x="14.854" - y="11.75" - id="text36" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="14.5" - y1="12" - x2="16.4" - y2="12" - stroke="#000000" - stroke-width="0.100" - id="line38" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="16.4,12.4 17.2,12 16.4,11.6 16.4,12.4 " - id="polygon40" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <line - x1="16" - y1="19.25" - x2="16" - y2="21.4" - stroke="#000000" - stroke-width="0.100" - id="line42" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="15.6,21.4 16,22.2 16.4,21.4 15.6,21.4 " - id="polygon44" - style="fill:#000000;stroke:none;stroke-width:0.1" /> - <path - d="M 24.083,15.65 L 26.417,15.65 C 26.739,15.65 27,16.055 27,16.554 C 27,17.053 26.739,17.457 26.417,17.457 L 24.083,17.457 C 23.761,17.457 23.5,17.053 23.5,16.554 C 23.5,16.055 23.761,15.65 24.083,15.65" - id="path46" - style="fill:#d9d9d9;stroke:none;stroke-width:0.1" /> - <path - d="M 24.083,15.65 L 26.417,15.65 C 26.739,15.65 27,16.055 27,16.554 C 27,17.053 26.739,17.457 26.417,17.457 L 24.083,17.457 C 23.761,17.457 23.5,17.053 23.5,16.554 C 23.5,16.055 23.761,15.65 24.083,15.65" - id="path48" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="24.525999" - y="16.731001" - id="text50" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Fail</text> - <rect - width="4.1399999" - height="2.0999999" - x="10.419" - y="5.4000001" - id="rect52" - style="fill:#dcd7d7;stroke:none;stroke-width:0" /> - <rect - width="4.1399999" - height="2.0999999" - x="10.419" - y="5.4000001" - id="rect54" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="10.969" - y="6.6279998" - id="text56" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">PassDB</text> - <line - x1="14.75" - y1="5.25" - x2="17" - y2="4" - stroke="#000000" - stroke-width="0.050" - id="line58" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="14.75" - y1="7.5" - x2="17" - y2="8.75" - stroke="#000000" - stroke-width="0.050" - id="line60" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="8" - height="5.25" - x="17.25" - y="3.75" - id="rect62" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="8" - height="5.25" - x="17.25" - y="3.75" - id="rect64" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="20.089001" - y="4.5" - id="text66" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">guest</text> - <text - x="18.85" - y="5.5" - id="text68" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">smbpasswd</text> - <text - x="19.709" - y="6.5" - id="text70" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">tdbsam</text> - <text - x="19.511999" - y="7.5" - id="text72" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam</text> - <text - x="17.799999" - y="8.5" - id="text74" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam_compat</text> - <line - x1="17.25" - y1="4.75" - x2="25.25" - y2="4.75" - stroke="#000000" - stroke-width="0.050" - id="line76" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="17.25" - y1="5.75" - x2="25.25" - y2="5.75" - stroke="#000000" - stroke-width="0.050" - id="line78" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="17.25" - y1="6.75" - x2="25.25" - y2="6.75" - stroke="#000000" - stroke-width="0.050" - id="line80" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="17.25" - y1="7.75" - x2="25.25" - y2="7.75" - stroke="#000000" - stroke-width="0.050" - id="line82" - style="stroke:#000000;stroke-width:0.05" /> - <polyline - fill="none" - stroke="#000000" - stroke-width="0.100" - points="12.500,13.500 12.500,19.000 19.250,19.000 19.250,18.000 " - id="polyline84" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="4.4899998" - height="2.0999999" - x="16.993999" - y="10.9" - id="rect86" - style="fill:#d7d7d7;stroke:none;stroke-width:0" /> - <rect - width="4.4899998" - height="2.0999999" - x="16.993999" - y="10.9" - id="rect88" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="17.544001" - y="12.128" - id="text90" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Winbind</text> - <line - x1="21.5" - y1="12.5" - x2="23.5" - y2="13.25" - stroke="#000000" - stroke-width="0.050" - id="line92" - style="stroke:#000000;stroke-width:0.05" /> - <line - x1="21.5" - y1="11.25" - x2="23.5" - y2="10.5" - stroke="#000000" - stroke-width="0.050" - id="line94" - style="stroke:#000000;stroke-width:0.05" /> - <rect - width="7.6669998" - height="2.75" - x="23.75" - y="10.5" - id="rect96" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="7.6669998" - height="2.75" - x="23.75" - y="10.5" - id="rect98" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="23.433001" - y="11.507" - id="text100" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">winbindd_idmap.tdb</text> - <text - x="25.761999" - y="12.75" - id="text102" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">ldapsam</text> - <line - x1="31.417" - y1="11.875" - x2="23.75" - y2="11.875" - stroke="#000000" - stroke-width="0.050" - id="line104" - style="stroke:#000000;stroke-width:0.05" /> - <polygon - points="19.25,15 21.25,16.5 19.25,18 17.25,16.5 19.25,15 " - id="polygon106" - style="fill:#bcf9ff;stroke:none;stroke-width:0.1" /> - <polygon - points="19.25,15 21.25,16.5 19.25,18 17.25,16.5 19.25,15 " - id="polygon108" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="17.773001" - y="16.75" - id="text110" - style="font-size:1px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:luxi sans">Found?</text> - <text - x="19.781" - y="19" - id="text112" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">Yes</text> - <text - x="21.604" - y="16.25" - id="text114" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:luxi sans">No</text> - <line - x1="21.25" - y1="16.5" - x2="22.65" - y2="16.5" - stroke="#000000" - stroke-width="0.100" - id="line116" - style="stroke:#000000;stroke-width:0.1" /> - <polygon - points="22.65,16.9 23.45,16.5 22.65,16.1 22.65,16.9 " - id="polygon118" - style="fill:#000000;stroke:none;stroke-width:0.1" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap.png b/docs/htmldocs/Samba3-HOWTO/images/idmap.png Binary files differdeleted file mode 100644 index d0bc622245..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap.svg b/docs/htmldocs/Samba3-HOWTO/images/idmap.svg deleted file mode 100644 index db2d883551..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap.svg +++ /dev/null @@ -1,119 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="8.1999998cm" - height="17.198cm" - viewBox="1.45 1.4 9.65 18.598" - id="svg2"> - <defs - id="defs45" /> - <rect - width="7.3000002" - height="2.5999999" - x="1.5" - y="1.7" - id="rect4" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="7.3000002" - height="2.5999999" - x="1.5" - y="1.7" - id="rect6" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="5.9000001" - height="2.7" - x="2.3" - y="8.5" - id="rect8" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="5.9000001" - height="2.7" - x="2.3" - y="8.5" - id="rect10" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="2.7" - y="2.8" - id="text12" - style="font-size:0.80000001px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:sans">passdb backend</text> - <text - x="1.7" - y="3.7" - id="text14" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">contains samba users</text> - <text - x="4.5" - y="9.3999996" - id="text16" - style="font-size:0.80000001px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:sans">idmap</text> - <text - x="3.3" - y="10.2" - id="text18" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">maps unix to</text> - <text - x="3.3" - y="11" - id="text20" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">samba users</text> - <rect - width="7.6999998" - height="3" - x="1.9" - y="15.5" - id="rect22" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="7.6999998" - height="3" - x="1.9" - y="15.5" - id="rect24" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.675,7.35 4.675,5.45 4.2,5.45 5.15,4.5 6.1,5.45 5.625,5.45 5.625,7.35 6.1,7.35 5.15,8.3 4.2,7.35 4.675,7.35 " - id="polygon26" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="4.675,7.35 4.675,5.45 4.2,5.45 5.15,4.5 6.1,5.45 5.625,5.45 5.625,7.35 6.1,7.35 5.15,8.3 4.2,7.35 4.675,7.35 " - id="polygon28" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.675,7.35 4.675,5.45 4.2,5.45 5.15,4.5 6.1,5.45 5.625,5.45 5.625,7.35 6.1,7.35 5.15,8.3 4.2,7.35 4.675,7.35 " - id="polygon30" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="4.763,14.175 4.763,12.325 4.3,12.325 5.225,11.4 6.15,12.325 5.688,12.325 5.688,14.175 6.15,14.175 5.225,15.1 4.3,14.175 4.763,14.175 " - id="polygon32" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="4.763,14.175 4.763,12.325 4.3,12.325 5.225,11.4 6.15,12.325 5.688,12.325 5.688,14.175 6.15,14.175 5.225,15.1 4.3,14.175 4.763,14.175 " - id="polygon34" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="4.763,14.175 4.763,12.325 4.3,12.325 5.225,11.4 6.15,12.325 5.688,12.325 5.688,14.175 6.15,14.175 5.225,15.1 4.3,14.175 4.763,14.175 " - id="polygon36" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="3.7" - y="16.299999" - id="text38" - style="font-size:0.80000001px;font-style:normal;font-weight:700;text-anchor:start;fill:#000000;font-family:sans">Unix users</text> - <text - x="2.4000001" - y="17.4" - id="text40" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">/etc/passwd</text> - <text - x="2.4000001" - y="18.200001" - id="text42" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">or other NSS backend</text> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/idmap_winbind_no_loop.png b/docs/htmldocs/Samba3-HOWTO/images/idmap_winbind_no_loop.png Binary files differdeleted file mode 100644 index 5393f6a192..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/idmap_winbind_no_loop.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.png b/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.png Binary files differdeleted file mode 100644 index abb2c1e0fe..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.svg b/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.svg deleted file mode 100644 index d9434d7e26..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/pdftoepsonusb.svg +++ /dev/null @@ -1,156 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="18.5cm" - height="4.9990001cm" - viewBox="5.85 2.808 24.35 7.807" - id="svg2"> - <defs - id="defs59" /> - <rect - width="4.0999999" - height="1" - x="5.9000001" - y="3" - id="rect4" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.0999999" - height="1" - x="5.9000001" - y="3" - id="rect6" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="6.8039999" - y="3.8" - id="text8" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pdftops</text> - <rect - width="4.0999999" - height="1" - x="12.8" - y="3" - id="rect10" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.0999999" - height="1" - x="12.8" - y="3" - id="rect12" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="13.835" - y="3.8" - id="text14" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pstops</text> - <rect - width="4.0999999" - height="1" - x="19.9" - y="3" - id="rect16" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.7609506" - height="0.99263805" - x="19.903681" - y="3.0036809" - id="rect18" - style="fill:none;stroke:#000000;stroke-width:0.10736195" /> - <text - x="20.409" - y="3.8" - id="text20" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pstoraster</text> - <polygon - points="10.5,3.225 11.5,3.225 11.5,2.9 12.5,3.55 11.5,4.2 11.5,3.875 10.5,3.875 10.5,3.225 " - id="polygon22" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="10.5,3.225 11.5,3.225 11.5,2.9 12.5,3.55 11.5,4.2 11.5,3.875 10.5,3.875 10.5,3.225 " - id="polygon24" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="10.5,3.225 11.5,3.225 11.5,2.9 12.5,3.55 11.5,4.2 11.5,3.875 10.5,3.875 10.5,3.225 " - id="polygon26" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="17.4,3.225 18.4,3.225 18.4,2.9 19.4,3.55 18.4,4.2 18.4,3.875 17.4,3.875 17.4,3.225 " - id="polygon28" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="17.4,3.225 18.4,3.225 18.4,2.9 19.4,3.55 18.4,4.2 18.4,3.875 17.4,3.875 17.4,3.225 " - id="polygon30" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="17.4,3.225 18.4,3.225 18.4,2.9 19.4,3.55 18.4,4.2 18.4,3.875 17.4,3.875 17.4,3.225 " - id="polygon32" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="4.8000002" - height="1" - x="19.5" - y="6.3000002" - id="rect34" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="6.0224352" - height="0.9886266" - x="19.505686" - y="6.305687" - id="rect36" - style="fill:none;stroke:#000000;stroke-width:0.11137342" /> - <text - x="19.865999" - y="7.0999999" - id="text38" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">rastertoepson</text> - <polygon - points="21.6,4.4 21.6,5.2 21.2,5.2 22,6 22.8,5.2 22.4,5.2 22.4,4.4 21.6,4.4 " - id="polygon40" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="21.6,4.4 21.6,5.2 21.2,5.2 22,6 22.8,5.2 22.4,5.2 22.4,4.4 21.6,4.4 " - id="polygon42" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="21.6,4.4 21.6,5.2 21.2,5.2 22,6 22.8,5.2 22.4,5.2 22.4,4.4 21.6,4.4 " - id="polygon44" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="4.0999999" - height="1" - x="12.5" - y="6.3000002" - id="rect46" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.0999999" - height="1" - x="12.5" - y="6.3000002" - id="rect48" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="13.979" - y="7.0999999" - id="text50" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">usb</text> - <polygon - points="18.886,6.422 18.043,6.422 18.043,6 17.2,6.843 18.043,7.686 18.043,7.265 18.886,7.265 18.886,6.422 " - id="polygon52" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="18.886,6.422 18.043,6.422 18.043,6 17.2,6.843 18.043,7.686 18.043,7.265 18.886,7.265 18.886,6.422 " - id="polygon54" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="18.886,6.422 18.043,6.422 18.043,6 17.2,6.843 18.043,7.686 18.043,7.265 18.886,7.265 18.886,6.422 " - id="polygon56" - style="fill:none;stroke:#000000;stroke-width:0.01" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.png b/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.png Binary files differdeleted file mode 100644 index 677552a049..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.svg b/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.svg deleted file mode 100644 index 1c9732c3d2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/pdftosocket.svg +++ /dev/null @@ -1,94 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="18.200001cm" - height="1.484cm" - viewBox="5.85 2.808 24.05 4.292" - id="svg2"> - <defs - id="defs35" /> - <rect - width="4.0999999" - height="1" - x="5.9000001" - y="3" - id="rect4" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.0999999" - height="1" - x="5.9000001" - y="3" - id="rect6" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="6.8039999" - y="3.8" - id="text8" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pdftops</text> - <rect - width="4.0999999" - height="1" - x="12.8" - y="3" - id="rect10" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.0999999" - height="1" - x="12.8" - y="3" - id="rect12" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="13.835" - y="3.8" - id="text14" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">pstops</text> - <rect - width="4.0999999" - height="1" - x="19.9" - y="3" - id="rect16" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="4.0999999" - height="1" - x="19.9" - y="3" - id="rect18" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <text - x="20.959" - y="3.8" - id="text20" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">socket</text> - <polygon - points="10.5,3.225 11.5,3.225 11.5,2.9 12.5,3.55 11.5,4.2 11.5,3.875 10.5,3.875 10.5,3.225 " - id="polygon22" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="10.5,3.225 11.5,3.225 11.5,2.9 12.5,3.55 11.5,4.2 11.5,3.875 10.5,3.875 10.5,3.225 " - id="polygon24" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="10.5,3.225 11.5,3.225 11.5,2.9 12.5,3.55 11.5,4.2 11.5,3.875 10.5,3.875 10.5,3.225 " - id="polygon26" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="17.4,3.225 18.4,3.225 18.4,2.9 19.4,3.55 18.4,4.2 18.4,3.875 17.4,3.875 17.4,3.225 " - id="polygon28" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="17.4,3.225 18.4,3.225 18.4,2.9 19.4,3.55 18.4,4.2 18.4,3.875 17.4,3.875 17.4,3.225 " - id="polygon30" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="17.4,3.225 18.4,3.225 18.4,2.9 19.4,3.55 18.4,4.2 18.4,3.875 17.4,3.875 17.4,3.225 " - id="polygon32" - style="fill:none;stroke:#000000;stroke-width:0.01" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/trusts1.png b/docs/htmldocs/Samba3-HOWTO/images/trusts1.png Binary files differdeleted file mode 100644 index e920048985..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/trusts1.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/trusts1.svg b/docs/htmldocs/Samba3-HOWTO/images/trusts1.svg deleted file mode 100644 index 9845d493cf..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/trusts1.svg +++ /dev/null @@ -1,792 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> -<svg - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - version="1.0" - width="27.1cm" - height="8.493cm" - viewBox="6.95 1.958 34.05 10.45" - id="svg2"> - <defs - id="defs273" /> - <rect - width="1.367" - height="3.1900001" - x="8.8730001" - y="5" - id="rect4" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.367" - height="3.1900001" - x="8.8730001" - y="5" - id="rect6" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.094" - height="0.36500001" - x="9.0100002" - y="5.191" - id="rect8" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.094" - height="0.36500001" - x="9.0100002" - y="5.5560002" - id="rect10" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.094" - height="0.36500001" - x="9.0100002" - y="5.921" - id="rect12" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.094" - height="0.36500001" - x="9.0100002" - y="6.2849998" - id="rect14" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.68400002" - height="0.219" - x="9.0100002" - y="6.723" - id="rect16" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="10.036" - cy="6.7589998" - rx="0.048" - ry="0.048" - id="ellipse18" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="10.036" - cy="6.7589998" - rx="0.048" - ry="0.048" - id="ellipse20" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="10.036" - cy="6.9050002" - rx="0.048" - ry="0.048" - id="ellipse22" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="10.036" - cy="6.9050002" - rx="0.048" - ry="0.048" - id="ellipse24" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.164" - height="0.146" - x="9.7620001" - y="6.796" - id="rect26" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.164" - height="0.146" - x="9.7620001" - y="6.796" - id="rect28" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 9.101,7.233 L 9.101,8.031" - id="path30" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 9.329,7.233 L 9.329,8.031" - id="path32" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 9.557,7.233 L 9.557,8.031" - id="path34" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 9.785,7.233 L 9.785,8.031" - id="path36" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 10.013,7.233 L 10.013,8.031" - id="path38" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 10.241,7.233 L 10.241,8.031" - id="path40" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="8.6,8.464 8.873,7.917 8.873,8.19 10.241,8.19 10.241,7.917 10.605,8.464 8.6,8.464 " - id="polygon42" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="8.6,8.464 8.873,7.917 8.873,8.19 10.241,8.19 10.241,7.917 10.605,8.464 8.6,8.464 " - id="polygon44" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="12.25" - cy="6.6999998" - rx="5.25" - ry="3.5999999" - id="ellipse46" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.365" - height="3.1860001" - x="11.273" - y="5" - id="rect48" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.365" - height="3.1860001" - x="11.273" - y="5" - id="rect50" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.092" - height="0.36399999" - x="11.41" - y="5.191" - id="rect52" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.092" - height="0.36399999" - x="11.41" - y="5.5549998" - id="rect54" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.092" - height="0.36399999" - x="11.41" - y="5.9190001" - id="rect56" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.092" - height="0.36399999" - x="11.41" - y="6.2839999" - id="rect58" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.68300003" - height="0.21799999" - x="11.41" - y="6.7199998" - id="rect60" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="12.434" - cy="6.757" - rx="0.048" - ry="0.048" - id="ellipse62" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="12.434" - cy="6.757" - rx="0.048" - ry="0.048" - id="ellipse64" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="12.434" - cy="6.902" - rx="0.048" - ry="0.048" - id="ellipse66" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="12.434" - cy="6.902" - rx="0.048" - ry="0.048" - id="ellipse68" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.164" - height="0.146" - x="12.161" - y="6.7930002" - id="rect70" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.164" - height="0.146" - x="12.161" - y="6.7930002" - id="rect72" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 11.501,7.23 L 11.501,8.027" - id="path74" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 11.728,7.23 L 11.728,8.027" - id="path76" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 11.956,7.23 L 11.956,8.027" - id="path78" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 12.183,7.23 L 12.183,8.027" - id="path80" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 12.411,7.23 L 12.411,8.027" - id="path82" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 12.639,7.23 L 12.639,8.027" - id="path84" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="11,8.459 11.273,7.913 11.273,8.186 12.639,8.186 12.639,7.913 13.003,8.459 11,8.459 " - id="polygon86" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="11,8.459 11.273,7.913 11.273,8.186 12.639,8.186 12.639,7.913 13.003,8.459 11,8.459 " - id="polygon88" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.322" - height="3.086" - x="13.764" - y="5.0999999" - id="rect90" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.322" - height="3.086" - x="13.764" - y="5.0999999" - id="rect92" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.058" - height="0.35299999" - x="13.897" - y="5.2849998" - id="rect94" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.058" - height="0.35299999" - x="13.897" - y="5.638" - id="rect96" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.058" - height="0.35299999" - x="13.897" - y="5.9899998" - id="rect98" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.058" - height="0.35299999" - x="13.897" - y="6.3429999" - id="rect100" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.66100001" - height="0.212" - x="13.897" - y="6.7659998" - id="rect102" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="14.888" - cy="6.8010001" - rx="0.046" - ry="0.046" - id="ellipse104" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="14.888" - cy="6.8010001" - rx="0.046" - ry="0.046" - id="ellipse106" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="14.888" - cy="6.9419999" - rx="0.046" - ry="0.046" - id="ellipse108" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="14.888" - cy="6.9419999" - rx="0.046" - ry="0.046" - id="ellipse110" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.15899999" - height="0.141" - x="14.624" - y="6.8369999" - id="rect112" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.15899999" - height="0.141" - x="14.624" - y="6.8369999" - id="rect114" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 13.985,7.26 L 13.985,8.031" - id="path116" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 14.205,7.26 L 14.205,8.031" - id="path118" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 14.426,7.26 L 14.426,8.031" - id="path120" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 14.646,7.26 L 14.646,8.031" - id="path122" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 14.866,7.26 L 14.866,8.031" - id="path124" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 15.087,7.26 L 15.087,8.031" - id="path126" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="13.5,8.45 13.764,7.921 13.764,8.186 15.087,8.186 15.087,7.921 15.439,8.45 13.5,8.45 " - id="polygon128" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="13.5,8.45 13.764,7.921 13.764,8.186 15.087,8.186 15.087,7.921 15.439,8.45 13.5,8.45 " - id="polygon130" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="10.5" - y="2.5" - id="text132" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Domain A</text> - <text - x="27.299999" - y="2.8" - id="text134" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Domain B</text> - <polygon - points="18.5,6.5 20.6,6.5 20.6,6.2 22.7,6.8 20.6,7.4 20.6,7.1 18.5,7.1 18.5,6.5 " - id="polygon136" - style="fill:#ffffff;stroke:none;stroke-width:0.1" /> - <polygon - points="18.5,6.5 20.6,6.5 20.6,6.2 22.7,6.8 20.6,7.4 20.6,7.1 18.5,7.1 18.5,6.5 " - id="polygon138" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <polygon - points="18.5,6.5 20.6,6.5 20.6,6.2 22.7,6.8 20.6,7.4 20.6,7.1 18.5,7.1 18.5,6.5 " - id="polygon140" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <text - x="19.299999" - y="5.9000001" - id="text142" - style="font-size:0.80000001px;font-style:normal;font-weight:400;text-anchor:start;fill:#000000;font-family:sans">Trusts</text> - <rect - width="1.367" - height="3.1900001" - x="25.372999" - y="5.0999999" - id="rect144" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.367" - height="3.1900001" - x="25.372999" - y="5.0999999" - id="rect146" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.094" - height="0.36500001" - x="25.51" - y="5.2909999" - id="rect148" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.094" - height="0.36500001" - x="25.51" - y="5.6560001" - id="rect150" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.094" - height="0.36500001" - x="25.51" - y="6.0209999" - id="rect152" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.094" - height="0.36500001" - x="25.51" - y="6.3850002" - id="rect154" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.68400002" - height="0.219" - x="25.51" - y="6.823" - id="rect156" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="26.535999" - cy="6.8590002" - rx="0.048" - ry="0.048" - id="ellipse158" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="26.535999" - cy="6.8590002" - rx="0.048" - ry="0.048" - id="ellipse160" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="26.535999" - cy="7.0050001" - rx="0.048" - ry="0.048" - id="ellipse162" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="26.535999" - cy="7.0050001" - rx="0.048" - ry="0.048" - id="ellipse164" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.164" - height="0.146" - x="26.261999" - y="6.8959999" - id="rect166" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.164" - height="0.146" - x="26.261999" - y="6.8959999" - id="rect168" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 25.601,7.333 L 25.601,8.131" - id="path170" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 25.829,7.333 L 25.829,8.131" - id="path172" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 26.057,7.333 L 26.057,8.131" - id="path174" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 26.285,7.333 L 26.285,8.131" - id="path176" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 26.513,7.333 L 26.513,8.131" - id="path178" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 26.741,7.333 L 26.741,8.131" - id="path180" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="25.1,8.564 25.373,8.017 25.373,8.29 26.741,8.29 26.741,8.017 27.105,8.564 25.1,8.564 " - id="polygon182" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="25.1,8.564 25.373,8.017 25.373,8.29 26.741,8.29 26.741,8.017 27.105,8.564 25.1,8.564 " - id="polygon184" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="28.75" - cy="6.8000002" - rx="5.25" - ry="3.5999999" - id="ellipse186" - style="fill:none;stroke:#000000;stroke-width:0.1" /> - <rect - width="1.365" - height="3.1860001" - x="27.773001" - y="5.0999999" - id="rect188" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.365" - height="3.1860001" - x="27.773001" - y="5.0999999" - id="rect190" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.092" - height="0.36399999" - x="27.91" - y="5.2909999" - id="rect192" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.092" - height="0.36399999" - x="27.91" - y="5.6550002" - id="rect194" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.092" - height="0.36399999" - x="27.91" - y="6.0190001" - id="rect196" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.092" - height="0.36399999" - x="27.91" - y="6.3839998" - id="rect198" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.68300003" - height="0.21799999" - x="27.91" - y="6.8200002" - id="rect200" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="28.934" - cy="6.8569999" - rx="0.048" - ry="0.048" - id="ellipse202" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="28.934" - cy="6.8569999" - rx="0.048" - ry="0.048" - id="ellipse204" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="28.934" - cy="7.0019999" - rx="0.048" - ry="0.048" - id="ellipse206" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="28.934" - cy="7.0019999" - rx="0.048" - ry="0.048" - id="ellipse208" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.164" - height="0.146" - x="28.660999" - y="6.8930001" - id="rect210" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.164" - height="0.146" - x="28.660999" - y="6.8930001" - id="rect212" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 28.001,7.33 L 28.001,8.127" - id="path214" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 28.228,7.33 L 28.228,8.127" - id="path216" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 28.456,7.33 L 28.456,8.127" - id="path218" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 28.683,7.33 L 28.683,8.127" - id="path220" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 28.911,7.33 L 28.911,8.127" - id="path222" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 29.139,7.33 L 29.139,8.127" - id="path224" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="27.5,8.559 27.773,8.013 27.773,8.286 29.139,8.286 29.139,8.013 29.503,8.559 27.5,8.559 " - id="polygon226" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="27.5,8.559 27.773,8.013 27.773,8.286 29.139,8.286 29.139,8.013 29.503,8.559 27.5,8.559 " - id="polygon228" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.322" - height="3.086" - x="30.264" - y="5.1999998" - id="rect230" - style="fill:#b3b3b3;stroke:none;stroke-width:0" /> - <rect - width="1.322" - height="3.086" - x="30.264" - y="5.1999998" - id="rect232" - style="fill:none;stroke:#000000;stroke-width:0.08" /> - <rect - width="1.058" - height="0.35299999" - x="30.396999" - y="5.3850002" - id="rect234" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.058" - height="0.35299999" - x="30.396999" - y="5.7379999" - id="rect236" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.058" - height="0.35299999" - x="30.396999" - y="6.0900002" - id="rect238" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="1.058" - height="0.35299999" - x="30.396999" - y="6.4429998" - id="rect240" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.66100001" - height="0.212" - x="30.396999" - y="6.8660002" - id="rect242" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="31.388" - cy="6.901" - rx="0.046" - ry="0.046" - id="ellipse244" - style="fill:#00ff00;stroke:none" /> - <ellipse - cx="31.388" - cy="6.901" - rx="0.046" - ry="0.046" - id="ellipse246" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <ellipse - cx="31.388" - cy="7.0430002" - rx="0.046" - ry="0.046" - id="ellipse248" - style="fill:#ffff00;stroke:none" /> - <ellipse - cx="31.388" - cy="7.0430002" - rx="0.046" - ry="0.046" - id="ellipse250" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <rect - width="0.15899999" - height="0.141" - x="31.124001" - y="6.9369998" - id="rect252" - style="fill:#ffffff;stroke:none;stroke-width:0" /> - <rect - width="0.15899999" - height="0.141" - x="31.124001" - y="6.9369998" - id="rect254" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 30.485,7.36 L 30.485,8.131" - id="path256" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 30.705,7.36 L 30.705,8.131" - id="path258" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 30.926,7.36 L 30.926,8.131" - id="path260" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 31.146,7.36 L 31.146,8.131" - id="path262" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 31.366,7.36 L 31.366,8.131" - id="path264" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <path - d="M 31.587,7.36 L 31.587,8.131" - id="path266" - style="fill:none;stroke:#000000;stroke-width:0.01" /> - <polygon - points="30,8.55 30.264,8.021 30.264,8.286 31.587,8.286 31.587,8.021 31.939,8.55 30,8.55 " - id="polygon268" - style="fill:#999999;stroke:none;stroke-width:0.01" /> - <polygon - points="30,8.55 30.264,8.021 30.264,8.286 31.587,8.286 31.587,8.021 31.939,8.55 30,8.55 " - id="polygon270" - style="fill:none;stroke:#000000;stroke-width:0.01" /> -</svg> diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp001.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp001.png Binary files differdeleted file mode 100644 index 43adf23463..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/w2kp001.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp002.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp002.png Binary files differdeleted file mode 100644 index 13bb029f53..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/w2kp002.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp003.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp003.png Binary files differdeleted file mode 100644 index c7b779900e..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/w2kp003.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp004.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp004.png Binary files differdeleted file mode 100644 index d0e005a36e..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/w2kp004.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp005.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp005.png Binary files differdeleted file mode 100644 index a729b40cd7..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/w2kp005.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/w2kp006.png b/docs/htmldocs/Samba3-HOWTO/images/w2kp006.png Binary files differdeleted file mode 100644 index ea96db055a..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/w2kp006.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp001.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp001.png Binary files differdeleted file mode 100644 index 2e689a17e2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp001.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp004.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp004.png Binary files differdeleted file mode 100644 index 656f67942e..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp004.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp006.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp006.png Binary files differdeleted file mode 100644 index a20b3ed583..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp006.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp007.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp007.png Binary files differdeleted file mode 100644 index cf41352220..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp007.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp008.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp008.png Binary files differdeleted file mode 100644 index 9958c7c873..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp008.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp010.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp010.png Binary files differdeleted file mode 100644 index 068a0dfc73..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp010.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp011.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp011.png Binary files differdeleted file mode 100644 index 0cf88c04a6..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp011.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp012.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp012.png Binary files differdeleted file mode 100644 index d89f3b5d31..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp012.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp013.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp013.png Binary files differdeleted file mode 100644 index 451240ee38..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp013.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/images/wxpp015.png b/docs/htmldocs/Samba3-HOWTO/images/wxpp015.png Binary files differdeleted file mode 100644 index 12fe2f31b2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/images/wxpp015.png +++ /dev/null diff --git a/docs/htmldocs/Samba3-HOWTO/index.html b/docs/htmldocs/Samba3-HOWTO/index.html deleted file mode 100644 index 745e38d88d..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/index.html +++ /dev/null @@ -1,50 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>The Official Samba 3.5.x HOWTO and Reference Guide</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="next" href="pr01.html" title="About the Cover Artwork"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">The Official Samba 3.5.x HOWTO and Reference Guide</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr></table><hr></div><div class="book" title="The Official Samba 3.5.x HOWTO and Reference Guide"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-HOWTO-Collection"></a>The Official Samba 3.5.x HOWTO and Reference Guide</h1></div><div><div class="authorgroup"><div class="editor"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div><div class="editor"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div><div class="editor"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div></div><div><p class="pubdate"></p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="preface"><a href="pr01.html">About the Cover Artwork</a></span></dt><dt><span class="preface"><a href="pr02.html">Attribution</a></span></dt><dt><span class="preface"><a href="pr03.html">Foreword</a></span></dt><dt><span class="preface"><a href="TOSHpreface.html">Preface</a></span></dt><dd><dl><dt><span class="sect1"><a href="TOSHpreface.html#id323668">Conventions Used</a></span></dt></dl></dd><dt><span class="preface"><a href="IntroSMB.html">Introduction</a></span></dt><dd><dl><dt><span class="sect1"><a href="IntroSMB.html#id323832">What Is Samba?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id280609">Why This Book?</a></span></dt><dt><span class="sect1"><a href="IntroSMB.html#id324017">Book Structure and Layout</a></span></dt></dl></dd><dt><span class="part"><a href="introduction.html">I. General Installation</a></span></dt><dd><dl><dt><span class="chapter"><a href="install.html">1. How to Install and Test SAMBA</a></span></dt><dd><dl><dt><span class="sect1"><a href="install.html#id324258">Obtaining and Installing Samba</a></span></dt><dt><span class="sect1"><a href="install.html#id324296">Configuring Samba (smb.conf)</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id324334">Configuration File Syntax</a></span></dt><dt><span class="sect2"><a href="install.html#tdbdocs">TDB Database File Information</a></span></dt><dt><span class="sect2"><a href="install.html#id325180">Starting Samba</a></span></dt><dt><span class="sect2"><a href="install.html#id325348">Example Configuration</a></span></dt><dt><span class="sect2"><a href="install.html#id325726">SWAT</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id325776">List Shares Available on the Server</a></span></dt><dt><span class="sect1"><a href="install.html#id325824">Connect with a UNIX Client</a></span></dt><dt><span class="sect1"><a href="install.html#id325910">Connect from a Remote SMB Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id325982">What If Things Don't Work?</a></span></dt><dt><span class="sect2"><a href="install.html#id326015">Still Stuck?</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id326041">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id326050">Large Number of smbd Processes</a></span></dt><dt><span class="sect2"><a href="install.html#id326129">Error Message: open_oplock_ipc</a></span></dt><dt><span class="sect2"><a href="install.html#id326157"><span class="quote">“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</span></a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="FastStart.html">2. Fast Start: Cure for Impatience</a></span></dt><dd><dl><dt><span class="sect1"><a href="FastStart.html#id326280">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id326298">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id326355">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id326370">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id328002">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id328803">Domain Controller</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="type.html">II. Server Configuration Basics</a></span></dt><dd><dl><dt><span class="chapter"><a href="ServerType.html">3. Server Types and Security Modes</a></span></dt><dd><dl><dt><span class="sect1"><a href="ServerType.html#id330679">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id330822">Server Types</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id330959">Samba Security Modes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id331101">User Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331249">Share-Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331866">ADS Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331998">Server Security (User Level Security)</a></span></dt></dl></dd><dt><span class="sect1"><a href="ServerType.html#id332239">Password Checking</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id332395">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id332416">What Makes Samba a Server?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332443">What Makes Samba a Domain Controller?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332478">What Makes Samba a Domain Member?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332502">Constantly Losing Connections to Password Server</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332541">Stand-alone Server is converted to Domain Controller Now User accounts don't work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-pdc.html">4. Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-pdc.html#id332816">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id333870">Basics of Domain Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id333888">Domain Controller Types</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id334343">Preparing for Domain Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335523">Samba ADS Domain Control</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335566">Domain and Network Logon Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id335583">Domain Network Logon Service</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id336354">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id336359"><span class="quote">“<span class="quote">$</span>”</span> Cannot Be Included in Machine Name</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336454">Joining Domain Fails Because of Existing Machine Account</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336513">The System Cannot Log You On (C000019B)</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336578">The Machine Trust Account Is Not Accessible</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336685">Account Disabled</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336710">Domain Controller Unavailable</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336727">Cannot Log onto Domain Member Workstation After Joining Domain</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-bdc.html">5. Backup Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-bdc.html#id336899">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-bdc.html#id337275">Essential Background Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id337967">LDAP Configuration Notes</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338300">Active Directory Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338437">How Does a Workstation find its Domain Controller?</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339066">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id339500">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339540">Machine Accounts Keep Expiring</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339736">Can I Do This All with LDAP?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="domain-member.html">6. Domain Membership</a></span></dt><dd><dl><dt><span class="sect1"><a href="domain-member.html#id339970">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341389">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342539">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id342799">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342981">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344013">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id344280">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344384">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="StandAloneServer.html">7. Standalone Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="StandAloneServer.html#id344722">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id344808">Background</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id344984">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></span></dt><dt><span class="sect2"><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></span></dt></dl></dd><dt><span class="sect1"><a href="StandAloneServer.html#id345921">Common Errors</a></span></dt></dl></dd><dt><span class="chapter"><a href="ClientConfig.html">8. MS Windows Network Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="ClientConfig.html#id345986">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ClientConfig.html#id346039">Technical Details</a></span></dt><dd><dl><dt><span class="sect2"><a href="ClientConfig.html#id346080">TCP/IP Configuration</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></span></dt></dl></dd><dt><span class="sect1"><a href="ClientConfig.html#id348714">Common Errors</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="optional.html">III. Advanced Configuration</a></span></dt><dd><dl><dt><span class="chapter"><a href="ChangeNotes.html">9. Important and Critical Change Notes for the Samba 3.x Series</a></span></dt><dd><dl><dt><span class="sect1"><a href="ChangeNotes.html#id348938">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id348949">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id348997">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349287">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349400">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetworkBrowsing.html">10. Network Browsing</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetworkBrowsing.html#id349822">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#id349988">What Is Browsing?</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id351491">How Browsing Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353161">Note about Broadcast Addresses</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353357">Use of the Remote Announce Parameter</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353486">Use of the Remote Browse Sync Parameter</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354117">WINS Replication</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354166">Static WINS Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id354384">Helpful Hints</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354520">Name Resolution Order</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354972">Problem Resolution</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356151">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356175">Flushing the Samba NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356240">Server Resources Cannot Be Listed</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356285">I Get an "<span class="errorname">Unable to browse the network</span>" Error</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356510">Invalid Cached Share References Affects Network Browsing</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="passdb.html">11. Account Information Databases</a></span></dt><dd><dl><dt><span class="sect1"><a href="passdb.html#id356961">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id357165">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id357700">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id358700">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359487">The <code class="literal">smbpasswd</code> Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The <code class="literal">pdbedit</code> Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id361852">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id361898">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id362220">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id362365">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id364701">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id364707">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364741">Configuration of <em class="parameter"><code>auth methods</code></em></a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="groupmapping.html">12. Group Mapping: MS Windows and UNIX</a></span></dt><dd><dl><dt><span class="sect1"><a href="groupmapping.html#id364981">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="groupmapping.html#id365375">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id365690">Warning: User Private Group Problems</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id366270">Important Administrative Information</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367100">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id367172">Configuration Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367182">Sample <code class="filename">smb.conf</code> Add Group Script</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367342">Script to Configure Group Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id367456">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367467">Adding Groups Fails</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367547">Adding Domain Users to the Workstation Power Users Group</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetCommand.html">13. Remote and Local Management: The Net Command</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetCommand.html#id367921">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id368198">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id368272">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id368421">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id369648">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369843">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369887">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369950">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id370027">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370337">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id370349">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id370687">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id371098">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id371140">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371309">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371336">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371872">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id372088">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372105">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372165">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372268">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372285">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id372323">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372354">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></dd><dt><span class="chapter"><a href="idmapper.html">14. Identity Mapping (IDMAP)</a></span></dt><dd><dl><dt><span class="sect1"><a href="idmapper.html#id372830">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id372854">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id373803">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id374021">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id374087">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id374148">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id374842">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="rights.html">15. User Rights and Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="rights.html#id376570">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id376833">Using the <span class="quote">“<span class="quote">net rpc rights</span>”</span> Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id377149">Description of Privileges</a></span></dt><dt><span class="sect2"><a href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id377883">The Administrator Domain SID</a></span></dt><dt><span class="sect1"><a href="rights.html#id378048">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AccessControls.html">16. File, Directory, and Share Access Controls</a></span></dt><dd><dl><dt><span class="sect1"><a href="AccessControls.html#id378519">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id378687">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379000">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379121">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id379717">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id379748">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380091">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380402">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id380718">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380854">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381176">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381222">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381286">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381416">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381607">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381747">Interaction with the Standard Samba <span class="quote">“<span class="quote">create mask</span>”</span> Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382083">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382146">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382508">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382826">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="locking.html">17. File and Record Locking</a></span></dt><dd><dl><dt><span class="sect1"><a href="locking.html#id383088">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="locking.html#id383174">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id383412">Opportunistic Locking Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384264">Samba Oplocks Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id384333">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384716">MS Windows Oplocks and Caching Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id384868">Workstation Service Entries</a></span></dt><dt><span class="sect2"><a href="locking.html#id384888">Server Service Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384944">Persistent Data Corruption</a></span></dt><dt><span class="sect1"><a href="locking.html#id384963">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id385014">locking.tdb Error Messages</a></span></dt><dt><span class="sect2"><a href="locking.html#id385042">Problems Saving Files in MS Office on Windows XP</a></span></dt><dt><span class="sect2"><a href="locking.html#id385065">Long Delays Deleting Files over Network with XP SP1</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id385094">Additional Reading</a></span></dt></dl></dd><dt><span class="chapter"><a href="securing-samba.html">18. Securing Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="securing-samba.html#id385260">Introduction</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id385353">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id385488">Technical Discussion of Protective Measures and Issues</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id385501">Using Host-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id385646">User-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id385704">Using Interface Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#firewallports">Using a Firewall</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386164">NTLMv2 Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="securing-samba.html#id386212">Upgrading Samba</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id386253">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id386268">Smbclient Works on Localhost, but the Network Is Dead</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="InterdomainTrusts.html">19. Interdomain Trust Relationships</a></span></dt><dd><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id386823">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id387144">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388180">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id388191">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id388228">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="msdfs.html">20. Hosting a Microsoft Distributed File System Tree</a></span></dt><dd><dl><dt><span class="sect1"><a href="msdfs.html#id388393">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="msdfs.html#id388783">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="msdfs.html#id388812">MSDFS UNIX Path Is Case-Critical</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="classicalprinting.html">21. Classical Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="classicalprinting.html#id389000">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id389202">Technical Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id389339">Client to Samba Print Job Processing</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id389393">Printing-Related Configuration Parameters</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id389487">Simple Print Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id389756">Verifying Configuration with <code class="literal">testparm</code></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id389939">Rapid Configuration Validation</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id390291">Extended Printing Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id390731">Detailed Explanation Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393519">Creating the [print$] Share</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id394019">The [print$] Share Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id394148">Installing Drivers into [print$]</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id394232">Add Printer Wizard Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#inst-rpc">Installing Print Drivers Using <code class="literal">rpcclient</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id395921">Client Driver Installation Procedure</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id395936">First Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id396442">Additional Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id396553">Always Make First Client Connection as root or <span class="quote">“<span class="quote">printer admin</span>”</span></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id396711">Other Gotchas</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id396728">Setting Default Print Options for Client Drivers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397064">Supporting Large Numbers of Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397300">Adding New Printers with the Windows NT APW</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397538">Error Message: <span class="quote">“<span class="quote">Cannot connect under a different Name</span>”</span></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397636">Take Care When Assembling Driver Files</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397860">Samba and Printer Ports</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397959">Avoiding Common Client Driver Misconfiguration</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id397992">The Imprints Toolset</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398030">What Is Imprints?</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398060">Creating Printer Driver Packages</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398072">The Imprints Server</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398086">The Installation Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id398202">Adding Network Printers without User Interaction</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398444">The <code class="literal">addprinter</code> Command</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398477">Migration of Classical Printing to Samba</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398608">Publishing Printer Information in Active Directory or LDAP</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398635">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398641">I Give My Root Password but I Do Not Get Access</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398678">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="CUPS-printing.html">22. CUPS Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="CUPS-printing.html#id398810">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id398815">Features and Benefits</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id398866">Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id399084">Linking smbd with libcups.so</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399310">Simple <code class="filename">smb.conf</code> Settings for CUPS</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399534">More Complex CUPS <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id399894">Advanced Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id399907">Central Spooling vs. <span class="quote">“<span class="quote">Peer-to-Peer</span>”</span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400166">Installation of Windows Client Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-raw">Explicitly Enable <span class="quote">“<span class="quote">raw</span>”</span> Printing for <span class="emphasis"><em>application/octet-stream</em></span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400430">Driver Upload Methods</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id400541">Advanced Intelligent Printing with PostScript Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401205">Ghostscript: The Software RIP for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401523">CUPS Also Uses PPDs for Non-PostScript Printers</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402381">Filtering Overview</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402529">Prefilters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402708">pstops</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402868">pstoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403119">imagetops and imagetoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403199">rasterto [printers specific]</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403411">CUPS Backends</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403719">The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403933">The Complete Picture</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403945"><code class="filename">mime.convs</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404006"><span class="quote">“<span class="quote">Raw</span>”</span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404106">application/octet-stream Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404631"><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405347">Sources of CUPS Drivers/PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405456">Printing with Interface Scripts</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id405534">Network Printing (Purely Windows)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id405549">From Windows Clients to an NT Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405607">Driver Execution on the Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405672">Driver Execution on the Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id405771">Network Printing (Windows Clients and UNIX/Samba Print -Servers)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id405787">From Windows Clients to a CUPS/Samba Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405962">Samba Receiving Job-Files and Passing Them to CUPS</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406034">Network PostScript RIP</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406112">PPDs for Non-PS Printers on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406149">PPDs for Non-PS Printers on Windows</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406210">Windows Terminal Servers (WTS) as CUPS Clients</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406222">Printer Drivers Running in <span class="quote">“<span class="quote">Kernel Mode</span>”</span> Cause Many -Problems</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406253">Workarounds Impose Heavy Limitations</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406267">CUPS: A <span class="quote">“<span class="quote">Magical Stone</span>”</span>?</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406382">Configuring CUPS for Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406400"><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406488">Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406765">CUPS <span class="quote">“<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406987">Recognizing Different Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407098">Acquiring the Adobe Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407118">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407173">Caveats to Be Considered</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407647">Run cupsaddsmb (Quiet Mode)</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407782">Run cupsaddsmb with Verbose Output</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407885">Understanding cupsaddsmb</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408021">How to Recognize If cupsaddsmb Completed Successfully</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408132">cupsaddsmb with a Samba PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408209">cupsaddsmb Flowchart</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-avoidps1">Avoiding Critical PostScript Driver Settings on the Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408822">Understanding the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408914">Producing an Example by Querying a Windows Box</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410123">Troubleshooting Revisited</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410254">The Printing <code class="filename">*.tdb</code> Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410454">Trivial Database Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410516">Binary Format</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410577">Losing <code class="filename">*.tdb</code> Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410623">Using <code class="literal">tdbbackup</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410895">foomatic-rip and Foomatic Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id411599">foomatic-rip and Foomatic PPD Download and Installation</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412022">Page Accounting with CUPS</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412052">Setting Up Quotas</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412102">Correct and Incorrect Accounting</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412266">The page_log File Syntax</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412406">Possible Shortcomings</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412465">Future Developments</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412500">Other Accounting Tools</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412512">Additional Material</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id412700">Autodeletion or Preservation of CUPS Spool Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412773">CUPS Configuration Settings Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412850">Preconditions</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412978">Manual Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id413279">More CUPS Filtering Chains</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id413388">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id413394">Windows 9x/Me Client Can't Install Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#root-ask-loop"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Keeps Asking for Root Password in Never-ending Loop</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413464"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> or <span class="quote">“<span class="quote">rpcclient addriver</span>”</span> Emit Error</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413500"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Errors</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413571">Client Can't Connect to Samba Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413594">New Account Reconnection from Windows 200x/XP Troubles</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413674">Avoid Being Connected to the Samba Server as the Wrong User</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413721">Upgrading to CUPS Drivers from Adobe Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413755">Can't Use <span class="quote">“<span class="quote">cupsaddsmb</span>”</span> on Samba Server, Which Is a PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413790">Deleted Windows 200x Printer Driver Is Still Shown</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413821">Windows 200x/XP Local Security Policies</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413852">Administrator Cannot Install Printers for All Local Users</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413888">Print Change, Notify Functions on NT Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413911">Windows XP SP1</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413953">Print Options for All Users Can't Be Set on Windows 200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414222">Most Common Blunders in Driver Settings on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414274"><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414320">Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414413">Print Queue Called <span class="quote">“<span class="quote">lp</span>”</span> Mishandles Print Jobs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414476">Location of Adobe PostScript Driver Files for <span class="quote">“<span class="quote">cupsaddsmb</span>”</span></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414527">Overview of the CUPS Printing Processes</a></span></dt></dl></dd><dt><span class="chapter"><a href="VFS.html">23. Stackable VFS modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="VFS.html#id414711">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="VFS.html#id414746">Discussion</a></span></dt><dt><span class="sect1"><a href="VFS.html#id415127">Included Modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id415132">audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415172">default_quota</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415364">extd_audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#fakeperms">fake_perms</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415677">recycle</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416047">netatalk</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416094">shadow_copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="VFS.html#id416927">VFS Modules Available Elsewhere</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id416949">DatabaseFS</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417002">vscan</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417038">vscan-clamav</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="winbind.html">24. Winbind: Use of Domain Accounts</a></span></dt><dd><dl><dt><span class="sect1"><a href="winbind.html#id417272">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id417589">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id417666">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id417805">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id417844">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id417956">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418082">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418126">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418338">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418479">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418546">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id418597">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id418602">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418709">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418852">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id421094">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id421140">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id421173">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id421207">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AdvancedNetworkManagement.html">25. Advanced Network Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421386">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421545">Remote Desktop Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></span></dt></dl></dd><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id422084">Network Logon Script Magic</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id422250">Adding Printers without User Intervention</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id422290">Limiting Logon Connections</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="PolicyMgmt.html">26. System and Account Policies</a></span></dt><dd><dl><dt><span class="sect1"><a href="PolicyMgmt.html#id422418">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id423619">Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id423630">Samba Editreg Toolset</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423706">Windows NT4/200x</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423743">Samba PDC</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id423806">System Startup and Logon Processing Overview</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id423947">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id423958">Policy Does Not Work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ProfileMgmt.html">27. Desktop Profile Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="ProfileMgmt.html#id424037">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id424080">Roaming Profiles</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id424128">Samba Configuration for Profile Handling</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id424698">Windows Client Profile Configuration Information</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id425966">User Profile Hive Cleanup Service</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id425996">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426086">Profile Migration from Windows NT4/200x Server to Samba</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id426418">Mandatory Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id426613">Default Profile for Windows Users</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id426639">MS Windows 9x/Me</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id427765">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id427775">Configuring Roaming Profiles for a Few Users or Groups</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427829">Cannot Use Roaming Profiles</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427978">Changing the Default Profile</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428131">Debugging Roaming Profiles and NT4-style Domain Policies</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="pam.html">28. PAM-Based Distributed Authentication</a></span></dt><dd><dl><dt><span class="sect1"><a href="pam.html#id428296">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id428896">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id428947">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id429855">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id430124"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id430196">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id430284">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id430641">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id430651">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id430740">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="integrate-ms-networks.html">29. Integrating MS Windows Networks with Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="integrate-ms-networks.html#id430948">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id430965">Background Information</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id431084">Name Resolution in a Pure UNIX/Linux World</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id431155"><code class="filename">/etc/hosts</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431316"><code class="filename">/etc/resolv.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431349"><code class="filename">/etc/host.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431397"><code class="filename">/etc/nsswitch.conf</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431980">The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432088">HOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432113">DNS Lookup</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432135">WINS Lookup</a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id432266">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id432277">Pinging Works Only One Way</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432305">Very Slow Network Connections</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432343">Samba Server Name-Change Problem</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="unicode.html">30. Unicode/Charsets</a></span></dt><dd><dl><dt><span class="sect1"><a href="unicode.html#id432528">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432573">What Are Charsets and Unicode?</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432692">Samba and Charsets</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432818">Conversion from Old Names</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432847">Japanese Charsets</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id432968">Basic Parameter Setting</a></span></dt><dt><span class="sect2"><a href="unicode.html#id433545">Individual Implementations</a></span></dt><dt><span class="sect2"><a href="unicode.html#id433658">Migration from Samba-2.2 Series</a></span></dt></dl></dd><dt><span class="sect1"><a href="unicode.html#id433797">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id433803">CP850.so Can't Be Found</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Backup.html">31. Backup Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="Backup.html#id433904">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="Backup.html#id433944">Discussion of Backup Solutions</a></span></dt><dd><dl><dt><span class="sect2"><a href="Backup.html#id434031">BackupPC</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434193">Rsync</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434353">Amanda</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434397">BOBS: Browseable Online Backup System</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SambaHA.html">32. High Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="SambaHA.html#id434489">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SambaHA.html#id434596">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="SambaHA.html#id434627">The Ultimate Goal</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id434749">Why Is This So Hard?</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435417">A Simple Solution</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435490">High-Availability Server Products</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435618">MS-DFS: The Poor Man's Cluster</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435651">Conclusions</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="largefile.html">33. Handling Large Directories</a></span></dt><dt><span class="chapter"><a href="cfgsmarts.html">34. Advanced Configuration Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="cfgsmarts.html#id436235">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="cfgsmarts.html#id436244">Multiple Server Hosting</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="migration.html">IV. Migration and Updating</a></span></dt><dd><dl><dt><span class="chapter"><a href="upgrading-to-3.0.html">35. Updating and Upgrading Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id438461">Key Update Requirements</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438485">Upgrading from Samba-3.0.x to Samba-3.2.0</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id438669">New Features in Samba-3.x Series</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440069">New Functionality</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NT4Migration.html">36. Migration from NT4 PDC to Samba-3 PDC</a></span></dt><dd><dl><dt><span class="sect1"><a href="NT4Migration.html#id441392">Planning and Getting Started</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id441422">Objectives</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id442286">Steps in Migration Process</a></span></dt></dl></dd><dt><span class="sect1"><a href="NT4Migration.html#id442509">Migration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id442592">Planning for Success</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SWAT.html">37. SWAT: The Samba Web Administration Tool</a></span></dt><dd><dl><dt><span class="sect1"><a href="SWAT.html#id443273">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SWAT.html#id443386">Guidelines and Technical Tips</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id443404">Validate SWAT Installation</a></span></dt><dt><span class="sect2"><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id443982">Securing SWAT through SSL</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="SWAT.html#id444313">Overview and Quick Tour</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id444324">The SWAT Home Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444377">Global Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444473">Share Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444525">Printers Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444577">The SWAT Wizard</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444633">The Status Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444672">The View Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444690">The Password Change Page</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="troubleshooting.html">V. Troubleshooting</a></span></dt><dd><dl><dt><span class="chapter"><a href="diagnosis.html">38. The Samba Checklist</a></span></dt><dd><dl><dt><span class="sect1"><a href="diagnosis.html#id444817">Introduction</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id444853">Assumptions</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id445131">The Tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="problems.html">39. Analyzing and Solving Samba Problems</a></span></dt><dd><dl><dt><span class="sect1"><a href="problems.html#id446780">Diagnostics Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="problems.html#id446829">Debugging with Samba Itself</a></span></dt><dt><span class="sect2"><a href="problems.html#id447073">Tcpdump</a></span></dt><dt><span class="sect2"><a href="problems.html#id447122">Ethereal</a></span></dt><dt><span class="sect2"><a href="problems.html#id447261">The Windows Network Monitor</a></span></dt></dl></dd><dt><span class="sect1"><a href="problems.html#id447567">Useful URLs</a></span></dt><dt><span class="sect1"><a href="problems.html#id447602">Getting Mailing List Help</a></span></dt><dt><span class="sect1"><a href="problems.html#id447756">How to Get Off the Mailing Lists</a></span></dt></dl></dd><dt><span class="chapter"><a href="bugreport.html">40. Reporting Bugs</a></span></dt><dd><dl><dt><span class="sect1"><a href="bugreport.html#id447883">Introduction</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id447963">General Information</a></span></dt><dt><span class="sect1"><a href="bugreport.html#dbglvl">Debug Levels</a></span></dt><dd><dl><dt><span class="sect2"><a href="bugreport.html#id448181">Debugging-Specific Operations</a></span></dt></dl></dd><dt><span class="sect1"><a href="bugreport.html#id448377">Internal Errors</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id448498">Attaching to a Running Process</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id448614">Patches</a></span></dt></dl></dd><dt><span class="chapter"><a href="tdb.html">41. Managing TDB Files</a></span></dt><dd><dl><dt><span class="sect1"><a href="tdb.html#id448693">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="tdb.html#id449130">Managing TDB Files</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="Appendix.html">VI. Reference Section</a></span></dt><dd><dl><dt><span class="chapter"><a href="compiling.html">42. How to Compile Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="compiling.html#id449310">Access Samba Source Code via Subversion</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id449315">Introduction</a></span></dt><dt><span class="sect2"><a href="compiling.html#id449353">Subversion Access to samba.org</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#id449526">Accessing the Samba Sources via rsync and ftp</a></span></dt><dt><span class="sect1"><a href="compiling.html#id449593">Verifying Samba's PGP Signature</a></span></dt><dt><span class="sect1"><a href="compiling.html#id449722">Building the Binaries</a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id449946">Compiling Samba with Active Directory Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="compiling.html#startingSamba">Starting the <span class="application">smbd</span> <span class="application">nmbd</span> and <span class="application">winbindd</span></a></span></dt><dd><dl><dt><span class="sect2"><a href="compiling.html#id450196">Starting from inetd.conf</a></span></dt><dt><span class="sect2"><a href="compiling.html#id450403">Alternative: Starting <span class="application">smbd</span> as a Daemon</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Portability.html">43. Portability</a></span></dt><dd><dl><dt><span class="sect1"><a href="Portability.html#id450764">HPUX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id450860">SCO UNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id450891">DNIX</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451021">Red Hat Linux</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451060">AIX: Sequential Read Ahead</a></span></dt><dt><span class="sect1"><a href="Portability.html#id451114">Solaris</a></span></dt><dd><dl><dt><span class="sect2"><a href="Portability.html#id451119">Locking Improvements</a></span></dt><dt><span class="sect2"><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Other-Clients.html">44. Samba and Other CIFS Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="Other-Clients.html#id451283">Macintosh Clients</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id451358">OS2 Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451364">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451474">Configuring Other Versions of OS/2</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451524">Printer Driver Download for OS/2 Clients</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451608">Windows for Workgroups</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451614">Latest TCP/IP Stack from Microsoft</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451692">Delete .pwl Files After Password Change</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451713">Configuring Windows for Workgroups Password Handling</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451768">Password Case Sensitivity</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#id451795">Use TCP/IP as Default Protocol</a></span></dt><dt><span class="sect2"><a href="Other-Clients.html#speedimpr">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451846">Windows 95/98</a></span></dt><dd><dl><dt><span class="sect2"><a href="Other-Clients.html#id451910">Speed Improvement</a></span></dt></dl></dd><dt><span class="sect1"><a href="Other-Clients.html#id451928">Windows 2000 Service Pack 2</a></span></dt><dt><span class="sect1"><a href="Other-Clients.html#id452108">Windows NT 3.1</a></span></dt></dl></dd><dt><span class="chapter"><a href="speed.html">45. Samba Performance Tuning</a></span></dt><dd><dl><dt><span class="sect1"><a href="speed.html#id452214">Comparisons</a></span></dt><dt><span class="sect1"><a href="speed.html#id452243">Socket Options</a></span></dt><dt><span class="sect1"><a href="speed.html#id452328">Read Size</a></span></dt><dt><span class="sect1"><a href="speed.html#id452364">Max Xmit</a></span></dt><dt><span class="sect1"><a href="speed.html#id452406">Log Level</a></span></dt><dt><span class="sect1"><a href="speed.html#id452428">Read Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id452488">Write Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id452536">Slow Logins</a></span></dt><dt><span class="sect1"><a href="speed.html#id452558">Client Tuning</a></span></dt><dt><span class="sect1"><a href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></span></dt><dt><span class="sect1"><a href="speed.html#id452660">Corrupt tdb Files</a></span></dt><dt><span class="sect1"><a href="speed.html#id452749">Samba Performance is Very Slow</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch-ldap-tls.html">46. LDAP and Transport Layer Security</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></dd><dt><span class="chapter"><a href="ch47.html">47. Samba Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="ch47.html#id453826">Free Support</a></span></dt><dt><span class="sect1"><a href="ch47.html#id454025">Commercial Support</a></span></dt></dl></dd><dt><span class="chapter"><a href="DNSDHCP.html">48. DNS and DHCP Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="DNSDHCP.html#id454166">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="DNSDHCP.html#id454326">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="DNSDHCP.html#id454402">Dynamic DNS</a></span></dt><dt><span class="sect2"><a href="DNSDHCP.html#DHCP">DHCP Server</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="appendix"><a href="apa.html">A. - <acronym class="acronym">GNU</acronym> General Public License version 3 - </a></span></dt><dd><dl><dt><span class="bridgehead"><a href="apa.html#id454669">A. - Preamble - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454778">A. - TERMS AND CONDITIONS - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454782">A. - 0. Definitions. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454846">A. - 1. Source Code. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454908">A. - 2. Basic Permissions. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454936">A. - 3. Protecting Users’ Legal Rights From Anti-Circumvention Law. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454958">A. - 4. Conveying Verbatim Copies. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id454977">A. - 5. Conveying Modified Source Versions. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455049">A. - 6. Conveying Non-Source Forms. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455181">A. - 7. Additional Terms. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455286">A. - 8. Termination. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455318">A. - 9. Acceptance Not Required for Having Copies. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455337">A. - 10. Automatic Licensing of Downstream Recipients. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455370">A. - 11. Patents. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455459">A. - 12. No Surrender of Others’ Freedom. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455475">A. - 13. Use with the ???TITLE??? Affero General Public License. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455498">A. - 14. Revised Versions of this License. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455545">A. - 15. Disclaimer of Warranty. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455563">A. - 16. Limitation of Liability. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455577">A. - 17. Interpretation of Sections 15 and 16. - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455590">A. - END OF TERMS AND CONDITIONS - </a></span></dt><dt><span class="bridgehead"><a href="apa.html#id455594">A. - How to Apply These Terms to Your New Programs - </a></span></dt></dl></dd><dt><span class="glossary"><a href="go01.html">Glossary</a></span></dt><dt><span class="index"><a href="ix01.html">Index</a></span></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>4.1. <a href="samba-pdc.html#domain-example">An Example Domain.</a></dt><dt>8.1. <a href="ClientConfig.html#WXPP002">Network Bridge Configuration.</a></dt><dt>8.2. <a href="ClientConfig.html#WXPP003">Internet Protocol (TCP/IP) Properties.</a></dt><dt>8.3. <a href="ClientConfig.html#WXPP005">Advanced Network Settings</a></dt><dt>8.4. <a href="ClientConfig.html#WXPP014">DNS Configuration.</a></dt><dt>8.5. <a href="ClientConfig.html#WXPP009">WINS Configuration</a></dt><dt>8.6. <a href="ClientConfig.html#w2kp001">Local Area Connection Properties.</a></dt><dt>8.7. <a href="ClientConfig.html#w2kp002">Internet Protocol (TCP/IP) Properties.</a></dt><dt>8.8. <a href="ClientConfig.html#w2kp003">Advanced Network Settings.</a></dt><dt>8.9. <a href="ClientConfig.html#w2kp004">DNS Configuration.</a></dt><dt>8.10. <a href="ClientConfig.html#w2kp005">WINS Configuration.</a></dt><dt>8.11. <a href="ClientConfig.html#WME001">The Windows Me Network Configuration Panel.</a></dt><dt>8.12. <a href="ClientConfig.html#WME002">IP Address.</a></dt><dt>8.13. <a href="ClientConfig.html#WME005">DNS Configuration.</a></dt><dt>8.14. <a href="ClientConfig.html#WME003">WINS Configuration.</a></dt><dt>8.15. <a href="ClientConfig.html#wxpp001">The General Panel.</a></dt><dt>8.16. <a href="ClientConfig.html#wxpp004">The Computer Name Panel.</a></dt><dt>8.17. <a href="ClientConfig.html#wxpp006">The Computer Name Changes Panel.</a></dt><dt>8.18. <a href="ClientConfig.html#wxpp007">The Computer Name Changes Panel Domain MIDEARTH.</a></dt><dt>8.19. <a href="ClientConfig.html#wxpp008">Computer Name Changes Username and Password Panel.</a></dt><dt>8.20. <a href="ClientConfig.html#WME009">The Network Panel.</a></dt><dt>8.21. <a href="ClientConfig.html#WME010">Client for Microsoft Networks Properties Panel.</a></dt><dt>8.22. <a href="ClientConfig.html#WME013">Identification Panel.</a></dt><dt>8.23. <a href="ClientConfig.html#WME014">Access Control Panel.</a></dt><dt>10.1. <a href="NetworkBrowsing.html#browsing1">Cross-Subnet Browsing Example.</a></dt><dt>11.1. <a href="passdb.html#idmap-sid2uid">IDMAP: Resolution of SIDs to UIDs.</a></dt><dt>11.2. <a href="passdb.html#idmap-uid2sid">IDMAP: Resolution of UIDs to SIDs.</a></dt><dt>12.1. <a href="groupmapping.html#idmap-sid2gid">IDMAP: Group SID-to-GID Resolution.</a></dt><dt>12.2. <a href="groupmapping.html#idmap-gid2sid">IDMAP: GID Resolution to Matching SID.</a></dt><dt>12.3. <a href="groupmapping.html#idmap-store-gid2sid">IDMAP Storing Group Mappings.</a></dt><dt>16.1. <a href="AccessControls.html#access1">Overview of UNIX permissions field.</a></dt><dt>19.1. <a href="InterdomainTrusts.html#trusts1">Trusts overview.</a></dt><dt>22.1. <a href="CUPS-printing.html#f1small">Windows Printing to a Local Printer.</a></dt><dt>22.2. <a href="CUPS-printing.html#f2small">Printing to a PostScript Printer.</a></dt><dt>22.3. <a href="CUPS-printing.html#f3small">Ghostscript as a RIP for Non-PostScript Printers.</a></dt><dt>22.4. <a href="CUPS-printing.html#f4small">Prefiltering in CUPS to Form PostScript.</a></dt><dt>22.5. <a href="CUPS-printing.html#f5small">Adding Device-Specific Print Options.</a></dt><dt>22.6. <a href="CUPS-printing.html#cups-raster">PostScript to Intermediate Raster Format.</a></dt><dt>22.7. <a href="CUPS-printing.html#cups-raster2">CUPS-Raster Production Using Ghostscript.</a></dt><dt>22.8. <a href="CUPS-printing.html#small8">Image Format to CUPS-Raster Format Conversion.</a></dt><dt>22.9. <a href="CUPS-printing.html#small9">Raster to Printer-Specific Formats.</a></dt><dt>22.10. <a href="CUPS-printing.html#cupsomatic-dia">cupsomatic/foomatic Processing Versus Native CUPS.</a></dt><dt>22.11. <a href="CUPS-printing.html#pdftosocket">PDF to Socket Chain.</a></dt><dt>22.12. <a href="CUPS-printing.html#pdftoepsonusb">PDF to USB Chain.</a></dt><dt>22.13. <a href="CUPS-printing.html#small11">Print Driver Execution on the Client.</a></dt><dt>22.14. <a href="CUPS-printing.html#small12">Print Driver Execution on the Server.</a></dt><dt>22.15. <a href="CUPS-printing.html#f13small">Printing via CUPS/Samba Server.</a></dt><dt>22.16. <a href="CUPS-printing.html#small14">cupsaddsmb Flowchart.</a></dt><dt>22.17. <a href="CUPS-printing.html#cups1">Filtering Chain 1.</a></dt><dt>22.18. <a href="CUPS-printing.html#cups2">Filtering Chain with cupsomatic</a></dt><dt>22.19. <a href="CUPS-printing.html#a_small">CUPS Printing Overview.</a></dt><dt>24.1. <a href="winbind.html#winbind_idmap">Winbind Idmap</a></dt><dt>39.1. <a href="problems.html#ethereal1">Starting a Capture.</a></dt><dt>39.2. <a href="problems.html#ethereal2">Main Ethereal Data Window.</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>1.1. <a href="install.html#tdbpermfiledesc">Persistent TDB File Descriptions</a></dt><dt>1.2. <a href="install.html#tdbtempfiledesc">Temporary TDB File Descriptions</a></dt><dt>5.1. <a href="samba-bdc.html#pdc-bdc-table">Domain Backend Account Distribution Options</a></dt><dt>6.1. <a href="domain-member.html#assumptions">Assumptions</a></dt><dt>9.1. <a href="ChangeNotes.html#TOSH-domgroups">Essential Domain Group Mappings</a></dt><dt>10.1. <a href="NetworkBrowsing.html#browsubnet">Browse Subnet Example 1</a></dt><dt>10.2. <a href="NetworkBrowsing.html#brsbex">Browse Subnet Example 2</a></dt><dt>10.3. <a href="NetworkBrowsing.html#brsex2">Browse Subnet Example 3</a></dt><dt>10.4. <a href="NetworkBrowsing.html#brsex3">Browse Subnet Example 4</a></dt><dt>11.1. <a href="passdb.html#policycontrols">NT4 Domain v's Samba Policy Controls</a></dt><dt>11.2. <a href="passdb.html#accountflags">Samba SAM Account Control Block Flags</a></dt><dt>11.3. <a href="passdb.html#attribobjclPartA">Attributes in the sambaSamAccount ObjectClass (LDAP), Part A</a></dt><dt>11.4. <a href="passdb.html#attribobjclPartB">Attributes in the sambaSamAccount ObjectClass (LDAP), Part B</a></dt><dt>11.5. <a href="passdb.html#ldappwsync">Possible <em class="parameter"><code>ldap passwd sync</code></em> Values</a></dt><dt>12.1. <a href="groupmapping.html#WKURIDS">Well-Known User Default RIDs</a></dt><dt>15.1. <a href="rights.html#rp-privs">Current Privilege Capabilities</a></dt><dt>16.1. <a href="AccessControls.html#TOSH-Accesstbl">Managing Directories with UNIX and Windows</a></dt><dt>16.2. <a href="AccessControls.html#ugbc">User- and Group-Based Controls</a></dt><dt>16.3. <a href="AccessControls.html#fdpbc">File and Directory Permission-Based Controls</a></dt><dt>16.4. <a href="AccessControls.html#mcoc">Other Controls</a></dt><dt>16.5. <a href="AccessControls.html#fdsacls">How Windows File ACLs Map to UNIX POSIX File ACLs</a></dt><dt>21.1. <a href="classicalprinting.html#printOptions">Default Printing Settings</a></dt><dt>22.1. <a href="CUPS-printing.html#cups-ppds">PPDs Shipped with CUPS</a></dt><dt>23.1. <a href="VFS.html#xtdaudit">Extended Auditing Log Information</a></dt><dt>27.1. <a href="ProfileMgmt.html#ProfileLocs">User Shell Folder Registry Keys Default Values</a></dt><dt>27.2. <a href="ProfileMgmt.html#regkeys">Defaults of Profile Settings Registry Keys</a></dt><dt>27.3. <a href="ProfileMgmt.html#defregpthkeys">Defaults of Default User Profile Paths Registry Keys</a></dt><dt>28.1. <a href="pam.html#smbpassoptions">Options recognized by <em class="parameter"><code>pam_smbpass</code></em></a></dt><dt>29.1. <a href="integrate-ms-networks.html#uniqnetbiosnames">Unique NetBIOS Names</a></dt><dt>29.2. <a href="integrate-ms-networks.html#netbiosnamesgrp">Group Names</a></dt><dt>30.1. <a href="unicode.html#japancharsets">Japanese Character Sets in Samba-2.2 and Samba-3</a></dt><dt>35.1. <a href="upgrading-to-3.0.html#oldtdbfiledesc">Samba-2.2.x TDB File Descriptions</a></dt><dt>36.1. <a href="NT4Migration.html#majtypes">The Three Major Site Types</a></dt><dt>36.2. <a href="NT4Migration.html#natconchoices">Nature of the Conversion Choices</a></dt><dt>40.1. <a href="bugreport.html#dbgclass">Debuggable Functions</a></dt><dt>41.1. <a href="tdb.html#TOSH-TDB">Samba's Trivial Database Files</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>1.1. <a href="install.html#smbconfminimal">A minimal smb.conf</a></dt><dt>1.2. <a href="install.html#simple-example">Another simple smb.conf File</a></dt><dt>2.1. <a href="FastStart.html#anon-example">Anonymous Read-Only Server Configuration</a></dt><dt>2.2. <a href="FastStart.html#anon-rw">Modified Anonymous Read-Write smb.conf</a></dt><dt>2.3. <a href="FastStart.html#anon-print">Anonymous Print Server smb.conf</a></dt><dt>2.4. <a href="FastStart.html#OfficeServer">Secure Office Server smb.conf</a></dt><dt>2.5. <a href="FastStart.html#fast-member-server">Member Server smb.conf (Globals)</a></dt><dt>2.6. <a href="FastStart.html#fast-memberserver-shares">Member Server smb.conf (Shares and Services)</a></dt><dt>2.7. <a href="FastStart.html#fast-engoffice-global">Engineering Office smb.conf (globals)</a></dt><dt>2.8. <a href="FastStart.html#fast-engoffice-shares">Engineering Office smb.conf (shares and services)</a></dt><dt>2.9. <a href="FastStart.html#fast-ldap">LDAP backend smb.conf for PDC</a></dt><dt>2.10. <a href="FastStart.html#fast-bdc">Remote LDAP BDC smb.conf</a></dt><dt>4.1. <a href="samba-pdc.html#pdc-example">smb.conf for being a PDC</a></dt><dt>4.2. <a href="samba-pdc.html#PDC-config">smb.conf for being a PDC</a></dt><dt>5.1. <a href="samba-bdc.html#minimalPDC">Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC</a></dt><dt>5.2. <a href="samba-bdc.html#mulitldapcfg">Multiple LDAP Servers in <code class="filename">smb.conf</code></a></dt><dt>5.3. <a href="samba-bdc.html#minim-bdc">Minimal Setup for Being a BDC</a></dt><dt>7.1. <a href="StandAloneServer.html#simplynice">smb.conf for Reference Documentation Server</a></dt><dt>7.2. <a href="StandAloneServer.html#AnonPtrSvr"><code class="filename">smb.conf</code> for Anonymous Printing</a></dt><dt>10.1. <a href="NetworkBrowsing.html#dmbexample">Domain Master Browser smb.conf</a></dt><dt>10.2. <a href="NetworkBrowsing.html#lmbexample">Local master browser smb.conf</a></dt><dt>10.3. <a href="NetworkBrowsing.html#nombexample">smb.conf for Not Being a Master Browser</a></dt><dt>10.4. <a href="NetworkBrowsing.html#remsmb">Local Master Browser smb.conf</a></dt><dt>10.5. <a href="NetworkBrowsing.html#xremmb"><code class="filename">smb.conf</code> for Not Being a master browser</a></dt><dt>11.1. <a href="passdb.html#idmapbackendexample">Example Configuration with the LDAP idmap Backend</a></dt><dt>11.2. <a href="passdb.html#confldapex">Configuration with LDAP</a></dt><dt>12.1. <a href="groupmapping.html#smbgrpadd.sh">smbgrpadd.sh</a></dt><dt>12.2. <a href="groupmapping.html#smbgrpadd">Configuration of <code class="filename">smb.conf</code> for the add group Script</a></dt><dt>12.3. <a href="groupmapping.html#set-group-map">Script to Set Group Mapping</a></dt><dt>13.1. <a href="NetCommand.html#autopoweruserscript">Script to Auto-add Domain Users to Workstation Power Users Group</a></dt><dt>13.2. <a href="NetCommand.html#magicnetlogon">A Magic Netlogon Share</a></dt><dt>14.1. <a href="idmapper.html#idmapnt4dms">NT4 Domain Member Server smb.conf</a></dt><dt>14.2. <a href="idmapper.html#idmapadsdms">ADS Domain Member Server smb.conf</a></dt><dt>14.3. <a href="idmapper.html#idmapadsridDMS">ADS Domain Member smb.conf using idmap_rid</a></dt><dt>14.4. <a href="idmapper.html#idmapldapDMS">ADS Domain Member Server using LDAP</a></dt><dt>14.5. <a href="idmapper.html#idmaprfc2307">ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</a></dt><dt>16.1. <a href="AccessControls.html#access2">Example File</a></dt><dt>17.1. <a href="locking.html#far1">Share with Some Files Oplocked</a></dt><dt>17.2. <a href="locking.html#far3">Configuration with Oplock Break Contention Limit</a></dt><dt>20.1. <a href="msdfs.html#dfscfg">smb.conf with DFS Configured</a></dt><dt>21.1. <a href="classicalprinting.html#simpleprc">Simple Configuration with BSD Printing</a></dt><dt>21.2. <a href="classicalprinting.html#extbsdpr">Extended BSD Printing Configuration</a></dt><dt>21.3. <a href="classicalprinting.html#prtdollar">[print$] Example</a></dt><dt>22.1. <a href="CUPS-printing.html#cups-exam-simple">Simplest Printing-Related smb.conf</a></dt><dt>22.2. <a href="CUPS-printing.html#overridesettings">Overriding Global CUPS Settings for One Printer</a></dt><dt>22.3. <a href="CUPS-printing.html#cupsadd-ex">smb.conf for cupsaddsmb Usage</a></dt><dt>23.1. <a href="VFS.html#vfsrecyc">smb.conf with VFS modules</a></dt><dt>23.2. <a href="VFS.html#multimodule">smb.conf with multiple VFS modules</a></dt><dt>23.3. <a href="VFS.html#vfsshadow">Share With shadow_copy VFS</a></dt><dt>24.1. <a href="winbind.html#winbindcfg">smb.conf for Winbind Setup</a></dt><dt>25.1. <a href="AdvancedNetworkManagement.html#Tpees">Script to Enforce Single Resource Logon</a></dt><dt>30.1. <a href="unicode.html#vfscap-intl">VFS CAP</a></dt><dt>34.1. <a href="cfgsmarts.html#elastic">Elastic smb.conf File</a></dt><dt>34.2. <a href="cfgsmarts.html#cdserver">CDROM Server smb-cdserver.conf file</a></dt><dt>34.3. <a href="cfgsmarts.html#mastersmbc">Master smb.conf File Global Section</a></dt><dt>34.4. <a href="cfgsmarts.html#merlinsmbc">MERLIN smb-merlin.conf File Share Section</a></dt><dt>34.5. <a href="cfgsmarts.html#sauronsmbc">SAURON smb-sauron.conf File Share Section</a></dt><dt>38.1. <a href="diagnosis.html#tmpshare">smb.conf with [tmp] Share</a></dt><dt>38.2. <a href="diagnosis.html#modif1">Configuration for Allowing Connections Only from a Certain Subnet</a></dt><dt>38.3. <a href="diagnosis.html#modif2">Configuration for Allowing Connections from a Certain Subnet and localhost</a></dt><dt>44.1. <a href="Other-Clients.html#minimalprofile">Minimal Profile Share</a></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> About the Cover Artwork</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/install.html b/docs/htmldocs/Samba3-HOWTO/install.html deleted file mode 100644 index c5c347edc2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/install.html +++ /dev/null @@ -1,317 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. How to Install and Test SAMBA</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="prev" href="introduction.html" title="Part I. General Installation"><link rel="next" href="FastStart.html" title="Chapter 2. Fast Start: Cure for Impatience"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. How to Install and Test SAMBA</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 1. How to Install and Test SAMBA"><div class="titlepage"><div><div><h2 class="title"><a name="install"></a>Chapter 1. How to Install and Test SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Karl</span> <span class="surname">Auer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:kauer@biplane.com.au">kauer@biplane.com.au</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="install.html#id324258">Obtaining and Installing Samba</a></span></dt><dt><span class="sect1"><a href="install.html#id324296">Configuring Samba (smb.conf)</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id324334">Configuration File Syntax</a></span></dt><dt><span class="sect2"><a href="install.html#tdbdocs">TDB Database File Information</a></span></dt><dt><span class="sect2"><a href="install.html#id325180">Starting Samba</a></span></dt><dt><span class="sect2"><a href="install.html#id325348">Example Configuration</a></span></dt><dt><span class="sect2"><a href="install.html#id325726">SWAT</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id325776">List Shares Available on the Server</a></span></dt><dt><span class="sect1"><a href="install.html#id325824">Connect with a UNIX Client</a></span></dt><dt><span class="sect1"><a href="install.html#id325910">Connect from a Remote SMB Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id325982">What If Things Don't Work?</a></span></dt><dt><span class="sect2"><a href="install.html#id326015">Still Stuck?</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id326041">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id326050">Large Number of smbd Processes</a></span></dt><dt><span class="sect2"><a href="install.html#id326129">Error Message: open_oplock_ipc</a></span></dt><dt><span class="sect2"><a href="install.html#id326157"><span class="quote">“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</span></a></span></dt></dl></dd></dl></div><div class="sect1" title="Obtaining and Installing Samba"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id324258"></a>Obtaining and Installing Samba</h2></div></div></div><p> - <a class="indexterm" name="id324265"></a> - Binary packages of Samba are included in almost any Linux or UNIX distribution. There are also some - packages available at <a class="ulink" href="http://samba.org/" target="_top">the Samba home page</a>. Refer to the manual of your - operating system for details on installing packages for your specific operating system. - </p><p> - <a class="indexterm" name="id324282"></a> - If you need to compile Samba from source, check <a class="link" href="compiling.html" title="Chapter 42. How to Compile Samba">How to Compile Samba</a>. - </p></div><div class="sect1" title="Configuring Samba (smb.conf)"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id324296"></a>Configuring Samba (smb.conf)</h2></div></div></div><p> - <a class="indexterm" name="id324303"></a> - <a class="indexterm" name="id324310"></a> - Samba's configuration is stored in the <code class="filename">smb.conf</code> file, which usually resides in - <code class="filename">/etc/samba/smb.conf</code> or <code class="filename">/usr/local/samba/lib/smb.conf</code>. You can either - edit this file yourself or do it using one of the many graphical tools that are available, such as the - Web-based interface SWAT, that is included with Samba. - </p><div class="sect2" title="Configuration File Syntax"><div class="titlepage"><div><div><h3 class="title"><a name="id324334"></a>Configuration File Syntax</h3></div></div></div><p> - <a class="indexterm" name="id324342"></a> - The <code class="filename">smb.conf</code> file uses the same syntax as the various old <code class="filename">.ini</code> files in Windows - 3.1: Each file consists of various sections, which are started by putting the section name between brackets - (<code class="literal">[]</code>) on a new line. Each contains zero or more key/value pairs separated by an equality - sign (<code class="literal">=</code>). The file is just a plaintext file, so you can open and edit it with your favorite - editing tool. - </p><p> - <a class="indexterm" name="id324375"></a> - <a class="indexterm" name="id324381"></a> - <a class="indexterm" name="id324390"></a> - <a class="indexterm" name="id324396"></a> - <a class="indexterm" name="id324402"></a> - <a class="indexterm" name="id324411"></a> - Each section in the <code class="filename">smb.conf</code> file represents either a share or a meta-service on the Samba server. The - section <code class="literal">[global]</code> is special, since it contains settings that apply to the whole Samba - server. Samba supports a number of meta-services, each of which serves its own purpose. For example, the - <code class="literal">[homes]</code> share is a meta-service that causes Samba to provide a personal home share for - each user. The <code class="literal">[printers]</code> share is a meta-service that establishes print queue support - and that specifies the location of the intermediate spool directory into which print jobs are received - from Windows clients prior to being dispatched to the UNIX/Linux print spooler. - </p><p> -<a class="indexterm" name="id324449"></a> -<a class="indexterm" name="id324455"></a> -<a class="indexterm" name="id324461"></a> -<a class="indexterm" name="id324467"></a> -<a class="indexterm" name="id324474"></a> -<a class="indexterm" name="id324480"></a> - The <code class="literal">printers</code> meta-service will cause every printer that is either specified in a - <code class="literal">printcap</code> file, via the <code class="literal">lpstat</code>, or via the CUPS API, to be - published as a shared print queue. The <code class="literal">printers</code> stanza in the <code class="filename">smb.conf</code> file can - be set as not browseable. If it is set to be browseable, then it will be visible as if it is a share. - That makes no sense given that this meta-service is responsible only for making UNIX system printers - available as Windows print queues. If a <code class="literal">comment</code> parameter is specified, the value - of it will be displayed as part of the printer name in Windows Explorer browse lists. - </p><p> - <a class="indexterm" name="id324525"></a> - Each section of the <code class="filename">smb.conf</code> file that specifies a share, or a meta-service, is called a stanza. - The <code class="literal">global</code> stanza specifies settings that affect all the other stanzas in the - <code class="filename">smb.conf</code> file. Configuration parameters are documented in the <code class="filename">smb.conf</code> man page. Some parameters - can be used only in the <code class="literal">global</code> stanza, some only in share or meta-service stanzas, - and some can be used globally or just within a share or meta-service stanza. - </p><p> - <a class="indexterm" name="id324564"></a> - <a class="link" href="install.html#smbconfminimal" title="Example 1.1. A minimal smb.conf">A minimal smb.conf</a> contains a very minimal <code class="filename">smb.conf</code>. - <a class="indexterm" name="id324582"></a> - </p><div class="example"><a name="smbconfminimal"></a><p class="title"><b>Example 1.1. A minimal smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id324611"></a><em class="parameter"><code>workgroup = WKG</code></em></td></tr><tr><td><a class="indexterm" name="id324621"></a><em class="parameter"><code>netbios name = MYNAME</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share1]</code></em></td></tr><tr><td><a class="indexterm" name="id324640"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share2]</code></em></td></tr><tr><td><a class="indexterm" name="id324659"></a><em class="parameter"><code>path = /my_shared_folder</code></em></td></tr><tr><td><a class="indexterm" name="id324669"></a><em class="parameter"><code>comment = Some random files</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" title="TDB Database File Information"><div class="titlepage"><div><div><h3 class="title"><a name="tdbdocs"></a>TDB Database File Information</h3></div></div></div><p> - This section contains brief descriptions of the databases that are used by Samba-3. - </p><p> -<a class="indexterm" name="id324695"></a> - The directory in which Samba stores the tdb files is determined by compile-time directives. Samba-3 stores - tdb files in two locations. The best way to determine these locations is to execute the following - command: -</p><pre class="screen"> -<code class="prompt">root# </code> smbd -b | grep PRIVATE_DIR - PRIVATE_DIR: /etc/samba/private -</pre><p> - This means that the confidential tdb files are stored in the <code class="filename">/etc/samba/private</code> - directory. Samba-3 also uses a number of tdb files that contain more mundane data. The location of - these files can be found by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> smbd -b | grep LOCKDIR - LOCKDIR: /var/lib/samba -</pre><p> - Therefore the remaining control files will, in the example shown, be stored in the - <code class="filename">/var/lib/samba</code> directory. - </p><p> -<a class="indexterm" name="id324741"></a> - The persistent tdb files are described in <a class="link" href="install.html#tdbpermfiledesc" title="Table 1.1. Persistent TDB File Descriptions">the Persistent TDB File - Descriptions table</a>. All persistent tdb files should be regularly backed up. Use the - <code class="literal">tdbbackup</code> utility to backup the tdb files. All persistent tdb files must be - preserved during machine migrations, updates and upgrades. - </p><p> - The temporary tdb files do not need to be backed up, nor do they need to be preseved across machine - migrations, updates or upgrades. The temporary tdb files are described in <a class="link" href="install.html#tdbtempfiledesc" title="Table 1.2. Temporary TDB File Descriptions"> - the Temporary TDB File Descriptions</a>. - </p><div class="table"><a name="tdbpermfiledesc"></a><p class="title"><b>Table 1.1. Persistent TDB File Descriptions</b></p><div class="table-contents"><table summary="Persistent TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify"><p>Samba/NT account policy settings, includes password expiration settings.</p></td></tr><tr><td align="left">group_mapping</td><td align="justify"><p>Mapping table from Windows groups/SID to UNIX groups.</p></td></tr><tr><td align="left">ntdrivers</td><td align="justify"><p>Stores per-printer installed driver information.</p></td></tr><tr><td align="left">ntforms</td><td align="justify"><p>Stores per-printer installed forms information.</p></td></tr><tr><td align="left">ntprinters</td><td align="justify"><p>Stores the per-printer devmode configuration settings.</p></td></tr><tr><td align="left">passdb</td><td align="justify"><p> - Exists only when the tdbsam passwd backend is used. This file stores the - SambaSAMAccount information. Note: This file requires that user POSIX account information is - available from either the /etc/passwd file, or from an alternative system source. - </p></td></tr><tr><td align="left">registry</td><td align="justify"><p> - Read-only Samba database of a Windows registry skeleton that provides support for exporting - various database tables via the winreg RPCs. - </p></td></tr><tr><td align="left">secrets</td><td align="justify"><p> - This file stores the Workgroup/Domain/Machine SID, the LDAP directory update password, and - a further collection of critical environmental data that is necessary for Samba to operate - correctly. This file contains very sensitive information that must be protected. It is stored - in the PRIVATE_DIR directory. - </p></td></tr><tr><td align="left">share_info</td><td align="justify"><p>Stores per-share ACL information.</p></td></tr><tr><td align="left">winbindd_idmap</td><td align="justify"><p>Winbindd's local IDMAP database.</p></td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="tdbtempfiledesc"></a><p class="title"><b>Table 1.2. Temporary TDB File Descriptions</b></p><div class="table-contents"><table summary="Temporary TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup</th></tr></thead><tbody><tr><td align="left">brlock</td><td align="justify"><p>Byte-range locking information.</p></td><td align="left">No</td></tr><tr><td align="left">connections</td><td align="justify"><p>A temporary cache for current connection information used to enforce max connections.</p></td><td align="left">no</td></tr><tr><td align="left">eventlog/*tdb</td><td align="justify"><p>Records of eventlog entries. In most circumstances this is just a cache of system logs.</p></td><td align="left">no</td></tr><tr><td align="left">gencache</td><td align="justify"><p>Generic caching database for dead WINS servers and trusted domain data.</p></td><td align="left">no</td></tr><tr><td align="left">login_cache</td><td align="justify"><p>A temporary cache for login information, in particular bad password attempts.</p></td><td align="left">no</td></tr><tr><td align="left">messages</td><td align="justify"><p>Temporary storage of messages being processed by smbd.</p></td><td align="left">no</td></tr><tr><td align="left">netsamlogon_cache</td><td align="justify"><p>Caches user net_info_3 structure data from net_samlogon requests (as a domain member).</p></td><td align="left">no</td></tr><tr><td align="left">perfmon/*.tdb</td><td align="justify"><p>Performance counter information.</p></td><td align="left">no</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from lpq command created on a per-print-service basis.</p></td><td align="left">no</td></tr><tr><td align="left">schannel_store</td><td align="justify"><p> - A confidential file, stored in the PRIVATE_DIR, containing crytographic connection - information so that clients that have temporarily disconnected can reconnect without - needing to renegotiate the connection setup process. - </p></td><td align="left">no</td></tr><tr><td align="left">sessionid</td><td align="justify"><p>Temporary cache for miscellaneous session information and for utmp handling.</p></td><td align="left">no</td></tr><tr><td align="left">unexpected</td><td align="justify"><p>Stores packets received for which no process is actively listening.</p></td><td align="left">no</td></tr><tr><td align="left">winbindd_cache</td><td align="justify"><p>Cache of Identity information received from an NT4 domain or from ADS. Includes user - lists, etc.</p></td><td align="left">yes</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="Starting Samba"><div class="titlepage"><div><div><h3 class="title"><a name="id325180"></a>Starting Samba</h3></div></div></div><p> - <a class="indexterm" name="id325188"></a> - Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. - An example of a service is the Apache Web server for which the daemon is called <code class="literal">httpd</code>. In the case of Samba there - are three daemons, two of which are needed as a minimum. - </p><p> - The Samba server is made up of the following daemons: - </p><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> - <a class="indexterm" name="id325217"></a> - <a class="indexterm" name="id325223"></a> - This daemon handles all name registration and resolution requests. It is the primary vehicle involved - in network browsing. It handles all UDP-based protocols. The <code class="literal">nmbd</code> daemon should - be the first command started as part of the Samba startup process. - </p></dd><dt><span class="term">smbd</span></dt><dd><p> - <a class="indexterm" name="id325249"></a> - <a class="indexterm" name="id325255"></a> - This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also - manages local authentication. It should be started immediately following the startup of <code class="literal">nmbd</code>. - </p></dd><dt><span class="term">winbindd</span></dt><dd><p> - <a class="indexterm" name="id325280"></a> - <a class="indexterm" name="id325286"></a> - This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when - Samba has trust relationships with another domain. The <code class="literal">winbindd</code> daemon will check the - <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> - parameters. If they are are found, <code class="literal">winbindd</code> will use the values specified for - for UID and GID allocation. If these parameters are not specified, <code class="literal">winbindd</code> - will start but it will not be able to allocate UIDs or GIDs. - </p></dd></dl></div><p> - <a class="indexterm" name="id325334"></a> - When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its - integration into the platform as a whole. Please refer to your operating system platform administration manuals for - specific information pertaining to correct management of Samba startup. - </p></div><div class="sect2" title="Example Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id325348"></a>Example Configuration</h3></div></div></div><p> - <a class="indexterm" name="id325355"></a> - <a class="indexterm" name="id325361"></a> - <a class="indexterm" name="id325368"></a> - <a class="indexterm" name="id325374"></a> - <a class="indexterm" name="id325380"></a> - There are sample configuration files in the examples subdirectory in the source code distribution tarball - package. It is suggested you read them carefully so you can see how the options go together in practice. See - the man page for all the options. It might be worthwhile to start out with the - <code class="filename">smb.conf.default</code> configuration file and adapt it to your needs. It contains plenty of comments. - </p><p> - <a class="indexterm" name="id325398"></a> - The simplest useful configuration file would contain something like that shown in - <a class="link" href="install.html#simple-example" title="Example 1.2. Another simple smb.conf File">Another simple smb.conf File</a>. - <a class="indexterm" name="id325413"></a> - </p><div class="example"><a name="simple-example"></a><p class="title"><b>Example 1.2. Another simple smb.conf File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id325441"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id325460"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id325470"></a><em class="parameter"><code>read only = no</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id325484"></a> - <a class="indexterm" name="id325490"></a> - <a class="indexterm" name="id325496"></a> - <a class="indexterm" name="id325502"></a> - This will allow connections by anyone with an account on the server, using either - their login name or <em class="parameter"><code>homes</code></em> as the service name. - (Note: The workgroup that Samba should appear in must also be set. The default - workgroup name is WORKGROUP.) - </p><p> - <a class="indexterm" name="id325519"></a> - Make sure you put the <code class="filename">smb.conf</code> file in the correct place. Note, the correct location of this file - depends on how the binary files were built. You can discover the correct location by executing from - the directory that contains the <code class="literal">smbd</code> command file: -</p><pre class="screen"> -<code class="prompt">root# </code> smbd -b | grep smb.conf -</pre><p> - </p><p> - <a class="indexterm" name="id325552"></a> - For more information about security settings for the <em class="parameter"><code>[homes]</code></em> share, please refer to - <a class="link" href="securing-samba.html" title="Chapter 18. Securing Samba">Securing Samba</a>. - </p><div class="sect3" title="Test Your Config File with testparm"><div class="titlepage"><div><div><h4 class="title"><a name="id325571"></a>Test Your Config File with <code class="literal">testparm</code></h4></div></div></div><p> - <a class="indexterm" name="id325583"></a> - <a class="indexterm" name="id325589"></a> - <a class="indexterm" name="id325596"></a> - It's important to validate the contents of the <code class="filename">smb.conf</code> file using the <span class="application">testparm</span> program. - If testparm runs correctly, it will list the loaded services. If not, it will give an error message. - Make sure it runs correctly and that the services look reasonable before proceeding. Enter the command: - </p><pre class="screen"> - <code class="prompt">root# </code> testparm /etc/samba/smb.conf - </pre><p> - Testparm will parse your configuration file and report any unknown parameters or incorrect syntax. - It also performs a check for common misconfigurations and will issue a warning if one is found. - </p><p> - Always run testparm again whenever the <code class="filename">smb.conf</code> file is changed! - </p><p> - <a class="indexterm" name="id325638"></a> - <a class="indexterm" name="id325644"></a> - <a class="indexterm" name="id325650"></a> - <a class="indexterm" name="id325657"></a> - The <code class="filename">smb.conf</code> file is constantly checked by the Samba daemons <code class="literal">smbd</code> and every instance of - itself that it spawns, <code class="literal">nmbd</code> and <code class="literal">winbindd</code>. It is good practice to - keep this file as small as possible. Many administrators prefer to document Samba configuration settings - and thus the need to keep this file small goes against good documentation wisdom. One solution that may - be adopted is to do all documentation and configuration in a file that has another name, such as - <code class="filename">smb.conf.master</code>. The <code class="literal">testparm</code> utility can be used to generate a - fully optimized <code class="filename">smb.conf</code> file from this master configuration and documentation file as shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf -</pre><p> - This administrative method makes it possible to maintain detailed configuration change records while at - the same time keeping the working <code class="filename">smb.conf</code> file size to the minimum necessary. - </p></div></div><div class="sect2" title="SWAT"><div class="titlepage"><div><div><h3 class="title"><a name="id325726"></a>SWAT</h3></div></div></div><p> - <a class="indexterm" name="id325734"></a> - SWAT is a Web-based interface that can be used to facilitate the configuration of Samba. SWAT might not - be available in the Samba package that shipped with your platform, but in a separate package. If you need to build SWAT please read the SWAT man page regarding compilation, installation, and - configuration of SWAT from the source code. - </p><p> - To launch SWAT, just run your favorite Web browser and point it to - <a class="ulink" href="http://localhost:901/" target="_top">http://localhost:901/</a>. - Replace <em class="replaceable"><code>localhost</code></em> with the name of the computer on which - Samba is running if that is a different computer than your browser. - </p><p> - SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote - machine leaves your connection open to password sniffing because passwords will be sent over the wire in the clear. - </p><p> - Please note that re-writing the configuration file using SWAT will - remove all comments! - More information about SWAT can be found in <a class="link" href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool">The Samba Web Administration Tool</a>. - </p></div></div><div class="sect1" title="List Shares Available on the Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325776"></a>List Shares Available on the Server</h2></div></div></div><p> - To list shares that are available from the configured Samba server, execute the - following command: - </p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>smbclient -L <em class="replaceable"><code>yourhostname</code></em></code></strong> -</pre><p> - You should see a list of shares available on your server. If you do not, then - something is incorrectly configured. This method can also be used to see what shares - are available on other SMB servers, such as Windows 2000. - </p><p> - If you choose user-level security, you may find that Samba requests a password - before it will list the shares. See the <code class="literal">smbclient</code> man page for details. - You can force it to list the shares without a password by adding the option - <code class="option">-N</code> to the command line. - </p></div><div class="sect1" title="Connect with a UNIX Client"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325824"></a>Connect with a UNIX Client</h2></div></div></div><p> - Enter the following command: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>smbclient <em class="replaceable"><code> //yourhostname/aservice</code></em></code></strong> -</pre><p>Typically <em class="replaceable"><code>yourhostname</code></em> is the name of the host on which <span class="application">smbd</span> - has been installed. The <em class="replaceable"><code>aservice</code></em> is any service that has been defined in the <code class="filename">smb.conf</code> - file. Try your username if you just have a <em class="parameter"><code>[homes]</code></em> section in the <code class="filename">smb.conf</code> file.</p><p>Example: If the UNIX host is called <em class="replaceable"><code>bambi</code></em> and a valid login name - is <em class="replaceable"><code>fred</code></em>, you would type:</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>smbclient //<em class="replaceable"><code>bambi</code></em>/<em class="replaceable"><code>fred</code></em></code></strong> -</pre></div><div class="sect1" title="Connect from a Remote SMB Client"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id325910"></a>Connect from a Remote SMB Client</h2></div></div></div><p> - Now that Samba is working correctly locally, you can try to access it from other clients. Within a few - minutes, the Samba host should be listed in the Network Neighborhood on all Windows clients of its subnet. - Try browsing the server from another client or "mounting" it. - </p><p> - Mounting disks from a DOS, Windows, or OS/2 client can be done by running a command such as: -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>net use m: \\servername\service</code></strong> -</pre><p> - Where the drive letter m: is any available drive letter. It is important to double-check that the - service (share) name that you used does actually exist. - </p><p> - Try printing, for example, -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>net use lpt1: \\servername\spoolservice</code></strong> -</pre><p> - The <code class="literal">spoolservice</code> is the name of the printer (actually the print queue) on the target - server. This will permit all print jobs that are captured by the lpt1: port on the Windows client to - be sent to the printer that owns the spoolservice that has been specified. - </p><p> -</p><pre class="screen"><code class="prompt">C:\> </code><strong class="userinput"><code>print filename</code></strong> -</pre><div class="sect2" title="What If Things Don't Work?"><div class="titlepage"><div><div><h3 class="title"><a name="id325982"></a>What If Things Don't Work?</h3></div></div></div><p> - You might want to read <a class="link" href="diagnosis.html" title="Chapter 38. The Samba Checklist">The Samba Checklist</a>. If you are still - stuck, refer to <a class="link" href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems">Analyzing and Solving Samba Problems</a>. Samba has - been successfully installed at thousands of sites worldwide. It is unlikely that your particular problem is - unique, so it might be productive to perform an Internet search to see if someone else has encountered your - problem and has found a way to overcome it. - </p><p> - If you are new to Samba, and particularly if you are new to Windows networking, or to UNIX/Linux, - the book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span> will help you to create a validated network environment. - Simply choose from the first five chapters the network design that most closely matches site needs, - then follow the simple step-by-step procedure to deploy it. Later, when you have a working network - you may well want to refer back to this book for further insight into opportunities for improvement. - </p></div><div class="sect2" title="Still Stuck?"><div class="titlepage"><div><div><h3 class="title"><a name="id326015"></a>Still Stuck?</h3></div></div></div><p> - The best advice under the stress of abject frustration is to cool down! That may be challenging - of itself, but while you are angry or annoyed your ability to seek out a solution is somewhat - undermined. A cool head clears the way to finding the answer you are looking for. Just remember, - every problem has a solution there is a good chance that someone else has found it - even though you can't right now. That will change with time, patience and learning. - </p><p> - Now that you have cooled down a bit, please refer to <a class="link" href="diagnosis.html" title="Chapter 38. The Samba Checklist">the Samba Checklist</a> - for a process that can be followed to identify the cause of your problem. - </p></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id326041"></a>Common Errors</h2></div></div></div><p> -The following questions and issues are raised repeatedly on the Samba mailing list. -</p><div class="sect2" title="Large Number of smbd Processes"><div class="titlepage"><div><div><h3 class="title"><a name="id326050"></a>Large Number of smbd Processes</h3></div></div></div><p> - Samba consists of three core programs: <span class="application">nmbd</span>, <span class="application">smbd</span>, and <span class="application">winbindd</span>. <span class="application">nmbd</span> is the name server message daemon, - <span class="application">smbd</span> is the server message daemon, and <span class="application">winbindd</span> is the daemon that handles communication with domain controllers. - </p><p> - If Samba is <span class="emphasis"><em>not</em></span> running as a WINS server, then there will be one single instance of - <span class="application">nmbd</span> running on your system. If it is running as a WINS server, then there will be - two instances one to handle the WINS requests. - </p><p> - <span class="application">smbd</span> handles all connection requests. It spawns a new process for each client - connection made. That is why you may see so many of them, one per client connection. - </p><p> - <span class="application">winbindd</span> will run as one or two daemons, depending on whether or not it is being - run in <span class="emphasis"><em>split mode</em></span> (in which case there will be two instances). - </p></div><div class="sect2" title="Error Message: open_oplock_ipc"><div class="titlepage"><div><div><h3 class="title"><a name="id326129"></a>Error Message: open_oplock_ipc</h3></div></div></div><p> - An error message is observed in the log files when <span class="application">smbd</span> is started: <span class="quote">“<span class="quote">open_oplock_ipc: Failed to - get local UDP socket for address 100007f. Error was Cannot assign requested.</span>”</span> - </p><p> - Your loopback device isn't working correctly. Make sure it is configured correctly. The loopback - device is an internal (virtual) network device with the IP address <span class="emphasis"><em>127.0.0.1</em></span>. - Read your OS documentation for details on how to configure the loopback on your system. - </p></div><div class="sect2" title="“The network name cannot be found”"><div class="titlepage"><div><div><h3 class="title"><a name="id326157"></a><span class="quote">“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</span></h3></div></div></div><p> - This error can be caused by one of these misconfigurations: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>You specified a nonexisting path - for the share in <code class="filename">smb.conf</code>.</p></li><li class="listitem"><p>The user you are trying to access the share with does not - have sufficient permissions to access the path for - the share. Both read (r) and access (x) should be possible.</p></li><li class="listitem"><p>The share you are trying to access does not exist.</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. Fast Start: Cure for Impatience</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html b/docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html deleted file mode 100644 index ebc5114a71..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html +++ /dev/null @@ -1,461 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. Integrating MS Windows Networks with Samba</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication"><link rel="next" href="unicode.html" title="Chapter 30. Unicode/Charsets"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. Integrating MS Windows Networks with Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 29. Integrating MS Windows Networks with Samba"><div class="titlepage"><div><div><h2 class="title"><a name="integrate-ms-networks"></a>Chapter 29. Integrating MS Windows Networks with Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate"> (Jan 01 2001) </p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="integrate-ms-networks.html#id430948">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id430965">Background Information</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id431084">Name Resolution in a Pure UNIX/Linux World</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id431155"><code class="filename">/etc/hosts</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431316"><code class="filename">/etc/resolv.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431349"><code class="filename">/etc/host.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431397"><code class="filename">/etc/nsswitch.conf</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431980">The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432088">HOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432113">DNS Lookup</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432135">WINS Lookup</a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id432266">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id432277">Pinging Works Only One Way</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432305">Very Slow Network Connections</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432343">Samba Server Name-Change Problem</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id430912"></a> -This chapter deals with NetBIOS over TCP/IP name to IP address resolution. If -your MS Windows clients are not configured to use NetBIOS over TCP/IP, then this -section does not apply to your installation. If your installation involves the use of -NetBIOS over TCP/IP, then this chapter may help you to resolve networking problems. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id430927"></a> -<a class="indexterm" name="id430934"></a> -NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS -over Logical Link Control (LLC). On modern networks it is highly advised -to not run NetBEUI at all. Note also that there is no such thing as -NetBEUI over TCP/IP the existence of such a protocol is a complete -and utter misapprehension. -</p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id430948"></a>Features and Benefits</h2></div></div></div><p> -Many MS Windows network administrators have never been exposed to basic TCP/IP -networking as it is implemented in a UNIX/Linux operating system. Likewise, many UNIX and -Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP-based -networking (and may have no desire to be, either). -</p><p> -This chapter gives a short introduction to the basics of how a name can be resolved to -its IP address for each operating system environment. -</p></div><div class="sect1" title="Background Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id430965"></a>Background Information</h2></div></div></div><p> -<a class="indexterm" name="id430973"></a> -<a class="indexterm" name="id430979"></a> -<a class="indexterm" name="id430986"></a> -<a class="indexterm" name="id430993"></a> -<a class="indexterm" name="id430999"></a> -Since the introduction of MS Windows 2000, it is possible to run MS Windows networking -without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS -name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over -TCP/IP is disabled on MS Windows 2000 and later clients, then only the TCP port 445 is -used, and the UDP port 137 and TCP port 139 are not. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -When using Windows 2000 or later clients, if NetBIOS over TCP/IP is not disabled, then -the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet -Name Service, or WINS), TCP port 139, and TCP port 445 (for actual file and print traffic). -</p></div><p> -<a class="indexterm" name="id431022"></a> -<a class="indexterm" name="id431028"></a> -<a class="indexterm" name="id431035"></a> -<a class="indexterm" name="id431042"></a> -<a class="indexterm" name="id431048"></a> -<a class="indexterm" name="id431055"></a> -When NetBIOS over TCP/IP is disabled, the use of DNS is essential. Most installations that disable NetBIOS -over TCP/IP today use MS Active Directory Service (ADS). ADS requires -<a class="indexterm" name="id431064"></a> dynamic DNS with Service Resource -Records (SRV RR) and with Incremental Zone Transfers (IXFR). <a class="indexterm" name="id431073"></a> -Use of DHCP with ADS is recommended as a further means of maintaining central control over the client -workstation network configuration. -</p></div><div class="sect1" title="Name Resolution in a Pure UNIX/Linux World"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id431084"></a>Name Resolution in a Pure UNIX/Linux World</h2></div></div></div><p> -The key configuration files covered in this section are: -</p><a class="indexterm" name="id431093"></a><a class="indexterm" name="id431100"></a><a class="indexterm" name="id431107"></a><a class="indexterm" name="id431114"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><code class="filename">/etc/hosts</code></p></li><li class="listitem"><p><code class="filename">/etc/resolv.conf</code></p></li><li class="listitem"><p><code class="filename">/etc/host.conf</code></p></li><li class="listitem"><p><code class="filename">/etc/nsswitch.conf</code></p></li></ul></div><div class="sect2" title="/etc/hosts"><div class="titlepage"><div><div><h3 class="title"><a name="id431155"></a><code class="filename">/etc/hosts</code></h3></div></div></div><p> -This file contains a static list of IP addresses and names. -</p><pre class="programlisting"> -127.0.0.1 localhost localhost.localdomain -192.168.1.1 bigbox.quenya.org bigbox alias4box -</pre><p> -</p><p> -<a class="indexterm" name="id431177"></a> -<a class="indexterm" name="id431183"></a> -The purpose of <code class="filename">/etc/hosts</code> is to provide a -name resolution mechanism so users do not need to remember -IP addresses. -</p><p> -<a class="indexterm" name="id431200"></a> -<a class="indexterm" name="id431207"></a> -<a class="indexterm" name="id431214"></a> -Network packets that are sent over the physical network transport -layer communicate not via IP addresses but rather using the Media -Access Control address, or MAC address. IP addresses are currently -32 bits in length and are typically presented as four decimal -numbers that are separated by a dot (or period) for example, 168.192.1.1. -</p><p> -<a class="indexterm" name="id431231"></a> -MAC addresses use 48 bits (or 6 bytes) and are typically represented -as two-digit hexadecimal numbers separated by colons: 40:8e:0a:12:34:56. -</p><p> -Every network interface must have a MAC address. Associated with a MAC address may be one or more IP -addresses. There is no relationship between an IP address and a MAC address; all such assignments are -arbitrary or discretionary in nature. At the most basic level, all network communications take place using MAC -addressing. Since MAC addresses must be globally unique and generally remain fixed for any particular -interface, the assignment of an IP address makes sense from a network management perspective. More than one IP -address can be assigned per MAC address. One address must be the primary IP address this is the -address that will be returned in the Address Resolution Protocol (ARP) reply. -</p><p> -<a class="indexterm" name="id431253"></a> -When a user or a process wants to communicate with another machine, -the protocol implementation ensures that the <span class="quote">“<span class="quote">machine name</span>”</span> or <span class="quote">“<span class="quote">host -name</span>”</span> is resolved to an IP address in a manner that is controlled -by the TCP/IP configuration control files. The file -<code class="filename">/etc/hosts</code> is one such file. -</p><p> -<a class="indexterm" name="id431278"></a> -When the IP address of the destination interface has been determined, a protocol called ARP/RARP is used to -identify the MAC address of the target interface. ARP is a broadcast-oriented method that uses User Datagram -Protocol (UDP) to send a request to all interfaces on the local network segment using the all 1s MAC address. -Network interfaces are programmed to respond to two MAC addresses only; their own unique address and the -address ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will contain the MAC address and the primary -IP address for each interface. -</p><p> -<a class="indexterm" name="id431298"></a> -The <code class="filename">/etc/hosts</code> file is foundational to all -UNIX/Linux TCP/IP installations and as a minimum will contain -the localhost and local network interface IP addresses and the -primary names by which they are known within the local machine. -This file helps to prime the pump so a basic level of name -resolution can exist before any other method of name resolution -becomes available. -</p></div><div class="sect2" title="/etc/resolv.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id431316"></a><code class="filename">/etc/resolv.conf</code></h3></div></div></div><p> -This file tells the name resolution libraries: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>The name of the domain to which the machine - belongs. - </p></li><li class="listitem"><p>The name(s) of any domains that should be - automatically searched when trying to resolve unqualified - host names to their IP address. - </p></li><li class="listitem"><p>The name or IP address of available domain - name servers that may be asked to perform name-to-address - translation lookups. - </p></li></ul></div></div><div class="sect2" title="/etc/host.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id431349"></a><code class="filename">/etc/host.conf</code></h3></div></div></div><p> -<a class="indexterm" name="id431360"></a> -<code class="filename">/etc/host.conf</code> is the primary means by which the setting in -<code class="filename">/etc/resolv.conf</code> may be effected. It is a critical configuration file. This file controls -the order by which name resolution may proceed. The typical structure is: -</p><pre class="programlisting"> -order hosts,bind -multi on -</pre><p>Both addresses should be returned. Please refer to the -man page for <code class="filename">host.conf</code> for further details. -</p></div><div class="sect2" title="/etc/nsswitch.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id431397"></a><code class="filename">/etc/nsswitch.conf</code></h3></div></div></div><p> -<a class="indexterm" name="id431408"></a> -This file controls the actual name resolution targets. The -file typically has resolver object specifications as follows: -</p><pre class="programlisting"> -# /etc/nsswitch.conf -# -# Name Service Switch configuration file. -# - -passwd: compat -# Alternative entries for password authentication are: -# passwd: compat files nis ldap winbind -shadow: compat -group: compat - -hosts: files nis dns -# Alternative entries for host name resolution are: -# hosts: files dns nis nis+ hesiod db compat ldap wins -networks: nis files dns - -ethers: nis files -protocols: nis files -rpc: nis files -services: nis files -</pre><p> -Of course, each of these mechanisms requires that the appropriate -facilities and/or services are correctly configured. -</p><p> -It should be noted that unless a network request/message must be -sent, TCP/IP networks are silent. All TCP/IP communications assume a -principal of speaking only when necessary. -</p><p> -<a class="indexterm" name="id431437"></a> -<a class="indexterm" name="id431443"></a> -<a class="indexterm" name="id431450"></a> -<a class="indexterm" name="id431457"></a> -<a class="indexterm" name="id431464"></a> -Starting with version 2.2.0, Samba has Linux support for extensions to -the name service switch infrastructure so Linux clients will -be able to obtain resolution of MS Windows NetBIOS names to IP -addresses. To gain this functionality, Samba needs to be compiled -with appropriate arguments to the make command (i.e., <strong class="userinput"><code>make -nsswitch/libnss_wins.so</code></strong>). The resulting library should -then be installed in the <code class="filename">/lib</code> directory, and -the <em class="parameter"><code>wins</code></em> parameter needs to be added to the <span class="quote">“<span class="quote">hosts:</span>”</span> line in -the <code class="filename">/etc/nsswitch.conf</code> file. At this point, it -will be possible to ping any MS Windows machine by its NetBIOS -machine name, as long as that machine is within the workgroup to -which both the Samba machine and the MS Windows machine belong. -</p></div></div><div class="sect1" title="Name Resolution as Used within MS Windows Networking"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id431507"></a>Name Resolution as Used within MS Windows Networking</h2></div></div></div><p> -<a class="indexterm" name="id431515"></a> -<a class="indexterm" name="id431522"></a> -<a class="indexterm" name="id431528"></a> -<a class="indexterm" name="id431535"></a> -MS Windows networking is predicated on the name each machine is given. This name is known variously (and -inconsistently) as the <span class="quote">“<span class="quote">computer name,</span>”</span> <span class="quote">“<span class="quote">machine name,</span>”</span> <span class="quote">“<span class="quote">networking -name,</span>”</span> <span class="quote">“<span class="quote">NetBIOS name,</span>”</span> or <span class="quote">“<span class="quote">SMB name.</span>”</span> All terms mean the same thing with the -exception of <span class="quote">“<span class="quote">NetBIOS name,</span>”</span> which can also apply to the name of the workgroup or the domain -name. The terms <span class="quote">“<span class="quote">workgroup</span>”</span> and <span class="quote">“<span class="quote">domain</span>”</span> are really just a simple name with which -the machine is associated. All NetBIOS names are exactly 16 characters in length. The -16<sup>th</sup> character is reserved. It is used to store a 1-byte value that indicates -service level information for the NetBIOS name that is registered. A NetBIOS machine name is therefore -registered for each service type that is provided by the client/server. -</p><p> -<a class="link" href="integrate-ms-networks.html#uniqnetbiosnames" title="Table 29.1. Unique NetBIOS Names">Unique NetBIOS names</a> and <a class="link" href="integrate-ms-networks.html#netbiosnamesgrp" title="Table 29.2. Group Names">group names</a> tables -list typical NetBIOS name/service type registrations. -</p><div class="table"><a name="uniqnetbiosnames"></a><p class="title"><b>Table 29.1. Unique NetBIOS Names</b></p><div class="table-contents"><table summary="Unique NetBIOS Names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">MACHINENAME<00></td><td align="justify">Server Service is running on MACHINENAME</td></tr><tr><td align="left">MACHINENAME<03></td><td align="justify">Generic machine name (NetBIOS name)</td></tr><tr><td align="left">MACHINENAME<20></td><td align="justify">LanMan server service is running on MACHINENAME</td></tr><tr><td align="left">WORKGROUP<1b></td><td align="justify">Domain master browser</td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="netbiosnamesgrp"></a><p class="title"><b>Table 29.2. Group Names</b></p><div class="table-contents"><table summary="Group Names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">WORKGROUP<03></td><td align="justify">Generic name registered by all members of WORKGROUP</td></tr><tr><td align="left">WORKGROUP<1c></td><td align="justify">Domain cntrollers/netlogon servers</td></tr><tr><td align="left">WORKGROUP<1d></td><td align="justify">Local master browsers</td></tr><tr><td align="left">WORKGROUP<1e></td><td align="justify">Browser election service</td></tr></tbody></table></div></div><br class="table-break"><p> -<a class="indexterm" name="id431717"></a> -It should be noted that all NetBIOS machines register their own -names as per <a class="link" href="integrate-ms-networks.html#uniqnetbiosnames" title="Table 29.1. Unique NetBIOS Names">Unique NetBIOS names</a> and <a class="link" href="integrate-ms-networks.html#netbiosnamesgrp" title="Table 29.2. Group Names">group names</a>. This is in vast contrast to TCP/IP -installations where the system administrator traditionally -determines in the <code class="filename">/etc/hosts</code> or in the DNS database what names -are associated with each IP address. -</p><p> -<a class="indexterm" name="id431749"></a> -<a class="indexterm" name="id431756"></a> -<a class="indexterm" name="id431763"></a> -One further point of clarification should be noted. The <code class="filename">/etc/hosts</code> -file and the DNS records do not provide the NetBIOS name information -that MS Windows clients depend on to locate the type of service that may -be needed. An example of this is what happens when an MS Windows client -wants to locate a domain logon server. It finds this service and the IP -address of a server that provides it by performing a lookup (via a -NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1C>. A logon request is then sent to each -IP address that is returned in the enumerated list of IP addresses. -Whichever machine first replies, it then ends up providing the logon services. -</p><p> -<a class="indexterm" name="id431787"></a> -<a class="indexterm" name="id431794"></a> -The name <span class="quote">“<span class="quote">workgroup</span>”</span> or <span class="quote">“<span class="quote">domain</span>”</span> really can be confusing, since these -have the added significance of indicating what is the security -architecture of the MS Windows network. The term <span class="quote">“<span class="quote">workgroup</span>”</span> indicates -that the primary nature of the network environment is that of a -peer-to-peer design. In a workgroup, all machines are responsible for -their own security, and generally such security is limited to the use of -just a password (known as share-level security). In most situations -with peer-to-peer networking, the users who control their own machines -will simply opt to have no security at all. It is possible to have -user-level security in a workgroup environment, thus requiring the use -of a username and a matching password. -</p><p> -<a class="indexterm" name="id431821"></a> -<a class="indexterm" name="id431827"></a> -<a class="indexterm" name="id431837"></a> -<a class="indexterm" name="id431846"></a> -<a class="indexterm" name="id431855"></a> -<a class="indexterm" name="id431864"></a> -<a class="indexterm" name="id431871"></a> -<a class="indexterm" name="id431878"></a> -MS Windows networking is thus predetermined to use machine names -for all local and remote machine message passing. The protocol used is -called Server Message Block (SMB), and this is implemented using -the NetBIOS protocol (Network Basic Input/Output System). NetBIOS can -be encapsulated using LLC (Logical Link Control) protocol in which case -the resulting protocol is called NetBEUI (Network Basic Extended User -Interface). NetBIOS can also be run over IPX (Internetworking Packet -Exchange) protocol as used by Novell NetWare, and it can be run -over TCP/IP protocols in which case the resulting protocol is called -NBT or NetBT, the NetBIOS over TCP/IP. -</p><p> -MS Windows machines use a complex array of name resolution mechanisms. -Since we are primarily concerned with TCP/IP, this demonstration is -limited to this area. -</p><div class="sect2" title="The NetBIOS Name Cache"><div class="titlepage"><div><div><h3 class="title"><a name="id431901"></a>The NetBIOS Name Cache</h3></div></div></div><p> -<a class="indexterm" name="id431908"></a> -<a class="indexterm" name="id431915"></a> -<a class="indexterm" name="id431922"></a> -All MS Windows machines employ an in-memory buffer in which is -stored the NetBIOS names and IP addresses for all external -machines that machine has communicated with over the -past 10 to 15 minutes. It is more efficient to obtain an IP address -for a machine from the local cache than it is to go through all the -configured name resolution mechanisms. -</p><p> -<a class="indexterm" name="id431934"></a> -If a machine whose name is in the local name cache is shut -down before the name is expired and flushed from the cache, then -an attempt to exchange a message with that machine will be subject -to timeout delays. Its name is in the cache, so a name resolution -lookup will succeed, but the machine cannot respond. This can be -frustrating for users but is a characteristic of the protocol. -</p><p> -<a class="indexterm" name="id431947"></a> -<a class="indexterm" name="id431954"></a> -<a class="indexterm" name="id431961"></a> -The MS Windows utility that allows examination of the NetBIOS -name cache is called <span class="quote">“<span class="quote">nbtstat.</span>”</span> The Samba equivalent -is called <code class="literal">nmblookup</code>. -</p></div><div class="sect2" title="The LMHOSTS File"><div class="titlepage"><div><div><h3 class="title"><a name="id431980"></a>The LMHOSTS File</h3></div></div></div><p> -<a class="indexterm" name="id431988"></a> -This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in the directory -<code class="filename">%SystemRoot%\SYSTEM32\DRIVERS\ETC</code> and contains the IP address -and the machine name in matched pairs. The <code class="filename">LMHOSTS</code> file -performs NetBIOS name to IP address mapping. -</p><p> -It typically looks like this: -</p><pre class="programlisting"> -# Copyright (c) 1998 Microsoft Corp. -# -# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS -# over TCP/IP) stack for Windows98 -# -# This file contains the mappings of IP addresses to NT computer names -# (NetBIOS) names. Each entry should be kept on an individual line. -# The IP address should be placed in the first column followed by the -# corresponding computer name. The address and the computer name -# should be separated by at least one space or tab. The "#" character -# is generally used to denote the start of a comment (see the exceptions -# below). -# -# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts -# files and offers the following extensions: -# -# #PRE -# #DOM:<domain> -# #INCLUDE <filename> -# #BEGIN_ALTERNATE -# #END_ALTERNATE -# \0xnn (non-printing character support) -# -# Following any entry in the file with the characters "#PRE" will cause -# the entry to be preloaded into the name cache. By default, entries are -# not preloaded, but are parsed only after dynamic name resolution fails. -# -# Following an entry with the "#DOM:<domain>" tag will associate the -# entry with the domain specified by <domain>. This effects how the -# browser and logon services behave in TCP/IP environments. To preload -# the host name associated with #DOM entry, it is necessary to also add a -# #PRE to the line. The <domain> is always pre-loaded although it will not -# be shown when the name cache is viewed. -# -# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT) -# software to seek the specified <filename> and parse it as if it were -# local. <filename> is generally a UNC-based name, allowing a -# centralized lmhosts file to be maintained on a server. -# It is ALWAYS necessary to provide a mapping for the IP address of the -# server prior to the #INCLUDE. This mapping must use the #PRE directive. -# In addition the share "public" in the example below must be in the -# LanMan Server list of "NullSessionShares" in order for client machines to -# be able to read the lmhosts file successfully. This key is under -# \machine\system\currentcontrolset\services\lanmanserver\ -# parameters\nullsessionshares -# in the registry. Simply add "public" to the list found there. -# -# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE -# statements to be grouped together. Any single successful include -# will cause the group to succeed. -# -# Finally, non-printing characters can be embedded in mappings by -# first surrounding the NetBIOS name in quotations, then using the -# \0xnn notation to specify a hex value for a non-printing character. -# -# The following example illustrates all of these extensions: -# -# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC -# 102.54.94.102 "appname \0x14" #special app server -# 102.54.94.123 popular #PRE #source server -# 102.54.94.117 localsrv #PRE #needed for the include -# -# #BEGIN_ALTERNATE -# #INCLUDE \\localsrv\public\lmhosts -# #INCLUDE \\rhino\public\lmhosts -# #END_ALTERNATE -# -# In the above example, the "appname" server contains a special -# character in its name, the "popular" and "localsrv" server names are -# pre-loaded, and the "rhino" server name is specified so it can be used -# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" -# system is unavailable. -# -# Note that the whole file is parsed including comments on each lookup, -# so keeping the number of comments to a minimum will improve performance. -# Therefore it is not advisable to simply add lmhosts file entries onto the -# end of this file. -</pre></div><div class="sect2" title="HOSTS File"><div class="titlepage"><div><div><h3 class="title"><a name="id432088"></a>HOSTS File</h3></div></div></div><p> -This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in -the directory <code class="filename">%SystemRoot%\SYSTEM32\DRIVERS\ETC</code> and contains -the IP address and the IP hostname in matched pairs. It can be -used by the name resolution infrastructure in MS Windows, depending -on how the TCP/IP environment is configured. This file is in -every way the equivalent of the UNIX/Linux <code class="filename">/etc/hosts</code> file. -</p></div><div class="sect2" title="DNS Lookup"><div class="titlepage"><div><div><h3 class="title"><a name="id432113"></a>DNS Lookup</h3></div></div></div><p> -<a class="indexterm" name="id432120"></a> -This capability is configured in the TCP/IP setup area in the network -configuration facility. If enabled, an elaborate name resolution sequence -is followed, the precise nature of which is dependent on how the NetBIOS -Node Type parameter is configured. A Node Type of 0 means that -NetBIOS broadcast (over UDP broadcast) is used if the name -that is the subject of a name lookup is not found in the NetBIOS name -cache. If that fails, then DNS, HOSTS, and LMHOSTS are checked. If set to -Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the -WINS server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast -lookup is used. -</p></div><div class="sect2" title="WINS Lookup"><div class="titlepage"><div><div><h3 class="title"><a name="id432135"></a>WINS Lookup</h3></div></div></div><p> -<a class="indexterm" name="id432142"></a> -<a class="indexterm" name="id432149"></a> -<a class="indexterm" name="id432158"></a> -A WINS (Windows Internet Name Server) service is the equivalent of the -rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores -the names and IP addresses that are registered by a Windows client -if the TCP/IP setup has been given at least one WINS server IP address. -</p><p> -To configure Samba to be a WINS server, the following parameter needs -to be added to the <code class="filename">smb.conf</code> file: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id432188"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr></table><p> -<a class="indexterm" name="id432202"></a> -To configure Samba to use a WINS server, the following parameters are -needed in the <code class="filename">smb.conf</code> file: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id432223"></a><em class="parameter"><code>wins support = No</code></em></td></tr><tr><td><a class="indexterm" name="id432234"></a><em class="parameter"><code>wins server = xxx.xxx.xxx.xxx</code></em></td></tr></table><p> -where <em class="replaceable"><code>xxx.xxx.xxx.xxx</code></em> is the IP address -of the WINS server. -</p><p>For information about setting up Samba as a WINS server, read -<a class="link" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a>.</p></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432266"></a>Common Errors</h2></div></div></div><p> -TCP/IP network configuration problems find every network administrator sooner or later. -The cause can be anything from keyboard mishaps to forgetfulness to simple mistakes to -carelessness. Of course, no one is ever deliberately careless! -</p><div class="sect2" title="Pinging Works Only One Way"><div class="titlepage"><div><div><h3 class="title"><a name="id432277"></a>Pinging Works Only One Way</h3></div></div></div><p> - <span class="quote">“<span class="quote">I can ping my Samba server from Windows, but I cannot ping my Windows - machine from the Samba server.</span>”</span> - </p><p> - The Windows machine was at IP address 192.168.1.2 with netmask 255.255.255.0, the - Samba server (Linux) was at IP address 192.168.1.130 with netmask 255.255.255.128. - The machines were on a local network with no external connections. - </p><p> - Due to inconsistent netmasks, the Windows machine was on network 192.168.1.0/24, while - the Samba server was on network 192.168.1.128/25 logically a different network. - </p></div><div class="sect2" title="Very Slow Network Connections"><div class="titlepage"><div><div><h3 class="title"><a name="id432305"></a>Very Slow Network Connections</h3></div></div></div><p> - A common cause of slow network response includes: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Client is configured to use DNS and the DNS server is down.</p></li><li class="listitem"><p>Client is configured to use remote DNS server, but the - remote connection is down.</p></li><li class="listitem"><p>Client is configured to use a WINS server, but there is no WINS server.</p></li><li class="listitem"><p>Client is not configured to use a WINS server, but there is a WINS server.</p></li><li class="listitem"><p>Firewall is filtering out DNS or WINS traffic.</p></li></ul></div></div><div class="sect2" title="Samba Server Name-Change Problem"><div class="titlepage"><div><div><h3 class="title"><a name="id432343"></a>Samba Server Name-Change Problem</h3></div></div></div><p> - <span class="quote">“<span class="quote">The name of the Samba server was changed, Samba was restarted, and now the Samba server cannot be - pinged by its new name from an MS Windows NT4 workstation, but it does still respond to pinging using - the old name. Why?</span>”</span> - </p><p> - From this description, three things are obvious: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>WINS is not in use; only broadcast-based name resolution is used.</p></li><li class="listitem"><p>The Samba server was renamed and restarted within the last 10 or 15 minutes.</p></li><li class="listitem"><p>The old Samba server name is still in the NetBIOS name cache on the MS Windows NT4 workstation.</p></li></ul></div><p> - To find what names are present in the NetBIOS name cache on the MS Windows NT4 machine, - open a <code class="literal">cmd</code> shell and then: - </p><p> -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>nbtstat -n</code></strong> - - NetBIOS Local Name Table - - Name Type Status ------------------------------------------------- -FRODO <03> UNIQUE Registered -ADMINISTRATOR <03> UNIQUE Registered -FRODO <00> UNIQUE Registered -SARDON <00> GROUP Registered -FRODO <20> UNIQUE Registered -FRODO <1F> UNIQUE Registered - - -<code class="prompt">C:\> </code>nbtstat -c - - NetBIOS Remote Cache Name Table - - Name Type Host Address Life [sec] --------------------------------------------------------------- -GANDALF <20> UNIQUE 192.168.1.1 240 - -<code class="prompt">C:\> </code> -</pre><p> - </p><p> - In this example, GANDALF is the Samba server and FRODO is the MS Windows NT4 workstation. - The first listing shows the contents of the Local Name Table (i.e., identity information on - the MS Windows workstation), and the second shows the NetBIOS name in the NetBIOS name cache. - The name cache contains the remote machines known to this workstation. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 28. PAM-Based Distributed Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Unicode/Charsets</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/introduction.html b/docs/htmldocs/Samba3-HOWTO/introduction.html deleted file mode 100644 index fad49efab7..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/introduction.html +++ /dev/null @@ -1,5 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. General Installation</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="IntroSMB.html" title="Introduction"><link rel="next" href="install.html" title="Chapter 1. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. General Installation</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="part" title="Part I. General Installation"><div class="titlepage"><div><div><h1 class="title"><a name="introduction"></a>Part I. General Installation</h1></div></div></div><div class="partintro" title="Preparing Samba for Configuration"><div><div><div><h1 class="title"><a name="id324122"></a>Preparing Samba for Configuration</h1></div></div></div><p> -This section of the Samba-HOWTO-Collection contains general info on how to install Samba -and how to configure the parts of Samba you will most likely need. -PLEASE read this. -</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="install.html">1. How to Install and Test SAMBA</a></span></dt><dd><dl><dt><span class="sect1"><a href="install.html#id324258">Obtaining and Installing Samba</a></span></dt><dt><span class="sect1"><a href="install.html#id324296">Configuring Samba (smb.conf)</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id324334">Configuration File Syntax</a></span></dt><dt><span class="sect2"><a href="install.html#tdbdocs">TDB Database File Information</a></span></dt><dt><span class="sect2"><a href="install.html#id325180">Starting Samba</a></span></dt><dt><span class="sect2"><a href="install.html#id325348">Example Configuration</a></span></dt><dt><span class="sect2"><a href="install.html#id325726">SWAT</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id325776">List Shares Available on the Server</a></span></dt><dt><span class="sect1"><a href="install.html#id325824">Connect with a UNIX Client</a></span></dt><dt><span class="sect1"><a href="install.html#id325910">Connect from a Remote SMB Client</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id325982">What If Things Don't Work?</a></span></dt><dt><span class="sect2"><a href="install.html#id326015">Still Stuck?</a></span></dt></dl></dd><dt><span class="sect1"><a href="install.html#id326041">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="install.html#id326050">Large Number of smbd Processes</a></span></dt><dt><span class="sect2"><a href="install.html#id326129">Error Message: open_oplock_ipc</a></span></dt><dt><span class="sect2"><a href="install.html#id326157"><span class="quote">“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</span></a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="FastStart.html">2. Fast Start: Cure for Impatience</a></span></dt><dd><dl><dt><span class="sect1"><a href="FastStart.html#id326280">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id326298">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id326355">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id326370">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id328002">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id328803">Domain Controller</a></span></dt></dl></dd></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Introduction </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. How to Install and Test SAMBA</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/ix01.html b/docs/htmldocs/Samba3-HOWTO/ix01.html deleted file mode 100644 index 2fd7fc2681..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/ix01.html +++ /dev/null @@ -1,9 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="go01.html" title="Glossary"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index" title="Index"><div class="titlepage"><div><div><h2 class="title"><a name="id456213"></a>Index</h2></div></div></div><div class="index"><div class="indexdiv"><h3>Symbols</h3><dl><dt>"Printers" folder, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a>, <a class="indexterm" href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></dt><dt>$, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>%i macro, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>%L, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>%PDF, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>%SystemRoot%\System32\config, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>../source/nsswitch, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a></dt><dt>.ai, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>.AppleDouble, <a class="indexterm" href="VFS.html#id416047">netatalk</a></dt><dt>.eps, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>.pdf, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>.PDS extension, <a class="indexterm" href="ProfileMgmt.html#id425356">Windows NT4 Workstation</a></dt><dt>.profiles, <a class="indexterm" href="ProfileMgmt.html#id424269">Windows 9x/Me User Profiles</a></dt><dt>.ps, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>.recycle, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>/bin/false, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>/dev/null, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>/dev/shadowvol, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>/etc/cups/, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>/etc/cups/mime.convs, <a class="indexterm" href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a class="indexterm" href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a>, <a class="indexterm" href="CUPS-printing.html#id404106">application/octet-stream Printing</a></dt><dt>/etc/cups/mime.types, <a class="indexterm" href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a class="indexterm" href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a class="indexterm" href="CUPS-printing.html#id404106">application/octet-stream Printing</a></dt><dt>/etc/fstab, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>/etc/group, <a class="indexterm" href="ServerType.html#id331249">Share-Level Security</a>, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="groupmapping.html#id367182">Sample smb.conf Add Group Script</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="Portability.html#id450764">HPUX</a></dt><dt>/etc/groups, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>/etc/host.conf, <a class="indexterm" href="integrate-ms-networks.html#id431084">Name Resolution in a Pure UNIX/Linux World</a>, <a class="indexterm" href="integrate-ms-networks.html#id431349">/etc/host.conf</a></dt><dt>/etc/hosts, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="integrate-ms-networks.html#id431084">Name Resolution in a Pure UNIX/Linux World</a>, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>/etc/hosts>, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a></dt><dt>/etc/inetd.conf, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a>, <a class="indexterm" href="compiling.html#id450196">Starting from inetd.conf</a></dt><dt>/etc/init.d/samba, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="winbind.html#id420170">Linux</a></dt><dt>/etc/init.d/samba.server, <a class="indexterm" href="winbind.html#id420337">Solaris</a></dt><dt>/etc/init.d/smb, <a class="indexterm" href="winbind.html#id420170">Linux</a></dt><dt>/etc/krb5.conf, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#id343732">Possible Errors</a>, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></dt><dt>/etc/ldap.conf, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a>, <a class="indexterm" href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>/etc/logingroup, <a class="indexterm" href="Portability.html#id450764">HPUX</a></dt><dt>/etc/mime.conv, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>/etc/mime.types, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>/etc/nsswitch.conf, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374170">NT4-Style Domains (Includes Samba Domains)</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a>, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a class="indexterm" href="integrate-ms-networks.html#id431084">Name Resolution in a Pure UNIX/Linux World</a>, <a class="indexterm" href="integrate-ms-networks.html#id431397">/etc/nsswitch.conf</a></dt><dt>/etc/openldap/slapd.conf, <a class="indexterm" href="FastStart.html#id329639">The Primary Domain Controller</a></dt><dt>/etc/openldap/sldap.conf, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a></dt><dt>/etc/pam.conf, <a class="indexterm" href="winbind.html#id420982">Solaris-Specific Configuration</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="pam.html#id428896">Technical Discussion</a>, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>/etc/pam.d, <a class="indexterm" href="winbind.html#id418709">Requirements</a>, <a class="indexterm" href="winbind.html#id418852">Testing Things Out</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>/etc/pam.d/, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a>, <a class="indexterm" href="pam.html#id428896">Technical Discussion</a></dt><dt>/etc/pam.d/ftp, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/pam.d/login, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/pam.d/samba, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/passwd, <a class="indexterm" href="ServerType.html#id331249">Share-Level Security</a>, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id336359">“$” Cannot Be Included in Machine Name</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a>, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id361898">Plaintext</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>/etc/printcap, <a class="indexterm" href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a></dt><dt>/etc/resolv.conf, <a class="indexterm" href="integrate-ms-networks.html#id431084">Name Resolution in a Pure UNIX/Linux World</a>, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>/etc/samba, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a>, <a class="indexterm" href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>/etc/samba/scripts, <a class="indexterm" href="NetCommand.html#id369374">Managing Nest Groups on Workstations from the Samba Server</a></dt><dt>/etc/samba/secrets.tdb, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>/etc/samba/smb.conf, <a class="indexterm" href="install.html#id324296">Configuring Samba (smb.conf)</a></dt><dt>/etc/samba/smbpasswd, <a class="indexterm" href="passdb.html#id361898">Plaintext</a></dt><dt>/etc/samba/smbusers, <a class="indexterm" href="NetCommand.html#id369950">User Mapping</a></dt><dt>/etc/shadow, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></dt><dt>/etc/smbpasswd, <a class="indexterm" href="passdb.html#id361898">Plaintext</a></dt><dt>/etc/ssl/certs/slapd.pem, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt><dt>/etc/xinetd.d, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/etc/xinetd.d/telnet, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>/export, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>/lib/libnss_example.so, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>/lib/libnss_files.so, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>/lib/security, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="pam.html#id428947">PAM Configuration Syntax</a></dt><dt>/lib/security/, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a></dt><dt>/opt/samba/bin, <a class="indexterm" href="SWAT.html#id443466">Locating the SWAT File</a></dt><dt>/tmp, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>/usr/bin/openssl, <a class="indexterm" href="SWAT.html#id443982">Securing SWAT through SSL</a></dt><dt>/usr/lib/samba/vfs, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>/usr/lib/security, <a class="indexterm" href="winbind.html#id419308">NSS Winbind on AIX</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a></dt><dt>/usr/lib/security/methods.cfg, <a class="indexterm" href="winbind.html#id419308">NSS Winbind on AIX</a></dt><dt>/usr/local/lib, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>/usr/local/samba, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>/usr/local/samba/bin, <a class="indexterm" href="winbind.html#id420170">Linux</a>, <a class="indexterm" href="winbind.html#id420337">Solaris</a>, <a class="indexterm" href="SWAT.html#id443466">Locating the SWAT File</a></dt><dt>/usr/local/samba/lib, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>/usr/local/samba/lib/vfs, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>/usr/local/samba/private/secrets.tdb, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>/usr/local/samba/swat, <a class="indexterm" href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>/usr/local/samba/var, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a>, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dt>/usr/local/samba/var/locks, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>/usr/sbin, <a class="indexterm" href="SWAT.html#id443466">Locating the SWAT File</a>, <a class="indexterm" href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>/usr/share/samba/swat, <a class="indexterm" href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>/var/locks/*.tdb, <a class="indexterm" href="speed.html#id452660">Corrupt tdb Files</a></dt><dt>/var/log/samba, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dt>/var/run/samba, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>/var/spool/cups/, <a class="indexterm" href="CUPS-printing.html#id412700">Autodeletion or Preservation of CUPS Spool Files</a></dt><dt>/var/spool/samba, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="CUPS-printing.html#id412700">Autodeletion or Preservation of CUPS Spool Files</a></dt><dt>250-user limit, <a class="indexterm" href="passdb.html#id362220">tdbsam</a></dt><dt>3.0.11, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>4,500 user accounts, <a class="indexterm" href="passdb.html#id362220">tdbsam</a></dt><dt>4294967295, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>8.3 file names, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>>Domain User Manager, <a class="indexterm" href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a></dt><dt>\\%L\%U\.profiles, <a class="indexterm" href="ProfileMgmt.html#id424269">Windows 9x/Me User Profiles</a></dt><dt>\\SERVER, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a></dt><dt>_kerberos.REALM.NAME, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>_kerberos._udp, <a class="indexterm" href="domain-member.html#id344013">Notes</a></dt><dt>_ldap._tcp, <a class="indexterm" href="domain-member.html#id344013">Notes</a></dt><dt>_ldap._tcp.pdc._msdcs.quenya.org, <a class="indexterm" href="samba-bdc.html#id338539">NetBIOS Over TCP/IP Disabled</a></dt></dl></div><div class="indexdiv"><h3></h3><dl><dt>, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a>, <a class="indexterm" href="install.html#id325348">Example Configuration</a>, <a class="indexterm" href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a>, <a class="indexterm" href="FastStart.html#id326756">Anonymous Read-Write Document Server</a>, <a class="indexterm" href="FastStart.html#id326962">Anonymous Print Server</a>, <a class="indexterm" href="FastStart.html#id327301">Secure Read-Write File and Print Server</a>, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a>, <a class="indexterm" href="FastStart.html#id328866">Example: Engineering Office</a>, <a class="indexterm" href="FastStart.html#id329639">The Primary Domain Controller</a>, <a class="indexterm" href="FastStart.html#id330210">Backup Domain Controller</a>, <a class="indexterm" href="ServerType.html#id331213">Example Configuration</a>, <a class="indexterm" href="ServerType.html#id331380">Example Configuration</a>, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="ServerType.html#id331930">Example Configuration</a>, <a class="indexterm" href="ServerType.html#id332151">Example Configuration</a>, <a class="indexterm" href="ServerType.html#id332239">Password Checking</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id335627">Example Configuration</a>, <a class="indexterm" href="samba-bdc.html#id337727">Example PDC Configuration</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341646">Samba Client</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a>, <a class="indexterm" href="NetworkBrowsing.html#id353357">Use of the Remote Announce Parameter</a>, <a class="indexterm" href="NetworkBrowsing.html#id353486">Use of the Remote Browse Sync Parameter</a>, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id354520">Name Resolution Order</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id363272">Configuring Samba</a>, <a class="indexterm" href="groupmapping.html#id367182">Sample smb.conf Add Group Script</a>, <a class="indexterm" href="NetCommand.html#id369374">Managing Nest Groups on Workstations from the Samba Server</a>, <a class="indexterm" href="idmapper.html#id374170">NT4-Style Domains (Includes Samba Domains)</a>, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a>, <a class="indexterm" href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a>, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a>, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a class="indexterm" href="AccessControls.html#id381747">Interaction with the Standard Samba “create mask” Parameters</a>, <a class="indexterm" href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a>, <a class="indexterm" href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a>, <a class="indexterm" href="locking.html#id384342">Disabling Oplocks</a>, <a class="indexterm" href="locking.html#id384432">Disabling Kernel Oplocks</a>, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a>, <a class="indexterm" href="securing-samba.html#id385646">User-Based Protection</a>, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a>, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a>, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a>, <a class="indexterm" href="msdfs.html#id388812">MSDFS UNIX Path Is Case-Critical</a>, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a>, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a>, <a class="indexterm" href="classicalprinting.html#id390291">Extended Printing Configuration</a>, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a>, <a class="indexterm" href="classicalprinting.html#id393519">Creating the [print$] Share</a>, <a class="indexterm" href="CUPS-printing.html#id399310">Simple smb.conf Settings for CUPS</a>, <a class="indexterm" href="CUPS-printing.html#id399534">More Complex CUPS smb.conf Settings</a>, <a class="indexterm" href="CUPS-printing.html#id405787">From Windows Clients to a CUPS/Samba Print Server</a>, <a class="indexterm" href="CUPS-printing.html#id406488">Prepare Your smb.conf for cupsaddsmb</a>, <a class="indexterm" href="VFS.html#id414746">Discussion</a>, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a>, <a class="indexterm" href="winbind.html#id419410">Configure smb.conf</a>, <a class="indexterm" href="winbind.html#id420982">Solaris-Specific Configuration</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a>, <a class="indexterm" href="ProfileMgmt.html#id424138">NT4/200x User Profiles</a>, <a class="indexterm" href="ProfileMgmt.html#id424269">Windows 9x/Me User Profiles</a>, <a class="indexterm" href="ProfileMgmt.html#id424419">Mixed Windows Windows 9x/Me and NT4/200x User Profiles</a>, <a class="indexterm" href="ProfileMgmt.html#id427978">Changing the Default Profile</a>, <a class="indexterm" href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a>, <a class="indexterm" href="integrate-ms-networks.html#id432135">WINS Lookup</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a>, <a class="indexterm" href="unicode.html#id433545">Individual Implementations</a>, <a class="indexterm" href="largefile.html">Handling Large Directories</a>, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a>, <a class="indexterm" href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a>, <a class="indexterm" href="upgrading-to-3.0.html#id441231">IdMap LDAP Support</a>, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a>, <a class="indexterm" href="bugreport.html#dbglvl">Debug Levels</a>, <a class="indexterm" href="bugreport.html#id448181">Debugging-Specific Operations</a>, <a class="indexterm" href="Other-Clients.html#id451928">Windows 2000 Service Pack 2</a></dt></dl></div><div class="indexdiv"><h3>A</h3><dl><dt>abbreviated keystrokes, <a class="indexterm" href="ClientConfig.html#id346080">TCP/IP Configuration</a></dt><dt>aborting shutdown, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>accept connections, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>access, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a></dt><dt>Access, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>access authentication, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>access control, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a>, <a class="indexterm" href="AdvancedNetworkManagement.html">Advanced Network Management</a></dt><dt>Access Control, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Access Control Entries (see ACE)</dt><dt>Access Control List, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>access control needs, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>access controls, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a>, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a>, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a>, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>Access Controls, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>access denied, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></dt><dt>access policies, <a class="indexterm" href="passdb.html#id361587">Domain Account Policy Managment</a></dt><dt>access rights, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>account, <a class="indexterm" href="install.html#id325348">Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dd><dl><dt>backend, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>database, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt><dd><dl><dt>backends, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a></dt></dl></dd></dl></dd><dt>account access controls, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>account attributes, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>account backends, <a class="indexterm" href="passdb.html">Account Information Databases</a></dt><dt>account containers, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a></dt><dt>account control block (see ACB)</dt><dt>account control flags, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>account controls, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Account Controls, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>account database, <a class="indexterm" href="passdb.html#id361852">Password Backends</a></dt><dt>account deleted, <a class="indexterm" href="passdb.html#id360908">Deleting Accounts</a></dt><dt>account encode_bits, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>account flag order, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>Account Flags, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a></dt><dt>account flags, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>account import/export, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a class="indexterm" href="passdb.html#id361730">Account Import/Export</a></dt><dt>account information, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a></dt><dt>account information database, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>account management, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>account name, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>account policies, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a></dt><dt>account policy, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>account restrictions, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>account security, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>account storage backends, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a></dt><dt>account storage mechanisms, <a class="indexterm" href="passdb.html">Account Information Databases</a></dt><dt>account storage system, <a class="indexterm" href="passdb.html">Account Information Databases</a></dt><dt>Account Unknown, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>accountability, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>accounts, <a class="indexterm" href="winbind.html#id418602">Introduction</a></dt><dt>ACL, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a>, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a class="indexterm" href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>ACLs, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a class="indexterm" href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a></dt><dd><dl><dt>File System, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>POSIX, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt><dt>share, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt><dt>Windows, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt></dl></dd><dt>ACLs on share, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a></dt><dt>ACLs on shares, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt><dt>across network segments, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>active directory, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id335523">Samba ADS Domain Control</a></dt><dt>Active Directory, <a class="indexterm" href="samba-bdc.html#id338300">Active Directory Domain Control</a>, <a class="indexterm" href="domain-member.html#ads-member">Samba ADS Domain Membership</a>, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a>, <a class="indexterm" href="idmapper.html#id372854">Standalone Samba Server</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>Active Directory Server, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>AD4UNIX, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>ADAM, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></dt><dt>add a user account, <a class="indexterm" href="passdb.html#id360831">Adding User Accounts</a></dt><dt>add client machines, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>add domain users and groups to a local group, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>add drivers, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>add machine script, <a class="indexterm" href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a>, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440430">Changes in Behavior</a></dt><dt>Add Printer Wizard, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>add printer wizard, <a class="indexterm" href="CUPS-printing.html#id400430">Driver Upload Methods</a></dt><dt>add user script, <a class="indexterm" href="passdb.html#id360511">User Account Management</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440430">Changes in Behavior</a></dt><dt>add/delete/change share, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>adddriver, <a class="indexterm" href="classicalprinting.html#id394988">Installing Driver Files into [print$]</a>, <a class="indexterm" href="classicalprinting.html#id395292">Running rpcclient with adddriver</a>, <a class="indexterm" href="classicalprinting.html#id395688">Specific Driver Name Flexibility</a>, <a class="indexterm" href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a>, <a class="indexterm" href="CUPS-printing.html#id410123">Troubleshooting Revisited</a></dt><dt>additional driver, <a class="indexterm" href="classicalprinting.html#id396442">Additional Client Driver Installation</a></dt><dt>additional privileges, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>addmem, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>AddPrinterDriver(), <a class="indexterm" href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></dt><dt>admincfg.exe, <a class="indexterm" href="Other-Clients.html#id451713">Configuring Windows for Workgroups Password Handling</a></dt><dt>administrative actions, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>administrative duties, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>administrative privileges, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>administrative responsibilities, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>administrative rights, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a>, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>administrative rights and privileges, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>Administrative Templates, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></dt><dt>Administrator, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a>, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>administrator account, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="domain-member.html#id341570">Windows NT4 Client</a></dt><dt>Administrator account, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>administrator password, <a class="indexterm" href="domain-member.html#id344013">Notes</a></dt><dt>Administrator%password, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>Adobe, <a class="indexterm" href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a class="indexterm" href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a>, <a class="indexterm" href="CUPS-printing.html#id411224">The Grand Unification Achieved</a></dt><dt>Adobe driver, <a class="indexterm" href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>Adobe driver files, <a class="indexterm" href="CUPS-printing.html#id406987">Recognizing Different Driver Files</a></dt><dt>Adobe PostScript, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a>, <a class="indexterm" href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>Adobe PostScript driver, <a class="indexterm" href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a></dt><dt>Adobe PPD, <a class="indexterm" href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a></dt><dt>Adobe specifications, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>ADS, <a class="indexterm" href="ServerType.html#id331866">ADS Security Mode (User-Level Security)</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a>, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a>, <a class="indexterm" href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a>, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a>, <a class="indexterm" href="NetCommand.html#id368198">Administrative Tasks and Methods</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="InterdomainTrusts.html#id386823">Features and Benefits</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id418546">Result Caching</a>, <a class="indexterm" href="PolicyMgmt.html#id422418">Features and Benefits</a>, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423806">System Startup and Logon Processing Overview</a>, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a>, <a class="indexterm" href="pam.html">PAM-Based Distributed Authentication</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a>, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a>, <a class="indexterm" href="DNSDHCP.html#id454166">Features and Benefits</a> (see Active Directory)</dt><dt>ADS DC, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a></dt><dt>ADS domain, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a></dt><dt>ADS domain members, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>ADS manager, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>ADS schema, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>Advanced TCP/IP configuration, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>advantages, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>affect users, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></dt><dt>affordable power, <a class="indexterm" href="SambaHA.html#id434627">The Ultimate Goal</a></dt><dt>AFPL, <a class="indexterm" href="CUPS-printing.html#id401205">Ghostscript: The Software RIP for Non-PostScript Printers</a></dt><dt>AFPL Ghostscript, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a></dt><dt>AFS, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>AIX, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a>, <a class="indexterm" href="winbind.html#id419308">NSS Winbind on AIX</a></dt><dt>algorithmic mapping, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>alias group, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>allow access, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a></dt><dt>allow trusted domains, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a></dt><dt>already exists, <a class="indexterm" href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a></dt><dt>alternate data streams, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>alternative solution, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>Amanda, <a class="indexterm" href="Backup.html#id434353">Amanda</a></dt><dt>analyzes data, <a class="indexterm" href="problems.html#id446780">Diagnostics Tools</a></dt><dt>anonymous, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dd><dl><dt>print server, <a class="indexterm" href="FastStart.html#id326962">Anonymous Print Server</a></dt><dt>read-write server, <a class="indexterm" href="FastStart.html#id326756">Anonymous Read-Write Document Server</a></dt></dl></dd><dt>anonymous access, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a></dt><dt>anonymous file server, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>anonymous server, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>ANSI compiler, <a class="indexterm" href="Portability.html#id450764">HPUX</a></dt><dt>anticipate failure, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>API, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>Appliances, <a class="indexterm" href="winbind.html#id417805">Target Uses</a></dt><dt>application servers, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>application/cups.vnd-postscript, <a class="indexterm" href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>application/octet-stream, <a class="indexterm" href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a>, <a class="indexterm" href="CUPS-printing.html#id404106">application/octet-stream Printing</a></dt><dt>application/pdf, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></dt><dt>application/postscript, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a>, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id402708">pstops</a>, <a class="indexterm" href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>application/vnd.cups-postscript, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id402708">pstops</a></dt><dt>application/vnd.cups-raster, <a class="indexterm" href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>application/vnd.cups-raw, <a class="indexterm" href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a></dt><dt>application/x-shell, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></dt><dt>apt-get, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>ARCFOUR-HMAC-MD5, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>architecture, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>ARP/RARP, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a></dt><dt>ASCII, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a>, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a></dt><dt>ASCII text, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a></dt><dt>assign rights, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>assigned RID, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a></dt><dt>assistance, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>associations, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>attach gdb, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>attribute, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>attributes, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>audit file access, <a class="indexterm" href="VFS.html#id415132">audit</a></dt><dt>audit module, <a class="indexterm" href="VFS.html#id415364">extd_audit</a></dt><dt>auth, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>authenticate, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>authenticate users, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>authenticated, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a></dt><dt>authenticating server, <a class="indexterm" href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a></dt><dt>authentication, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a>, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a>, <a class="indexterm" href="passdb.html#id361730">Account Import/Export</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dd><dl><dt>backend, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt></dl></dd><dt>authentication agents, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>authentication architecture, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>authentication backend, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>authentication control, <a class="indexterm" href="winbind.html#id418602">Introduction</a></dt><dt>authentication database, <a class="indexterm" href="InterdomainTrusts.html#id386823">Features and Benefits</a></dt><dt>authentication management, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a></dt><dt>authentication mechanisms, <a class="indexterm" href="winbind.html#id418602">Introduction</a></dt><dt>authentication methods, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a></dt><dt>authentication module API, <a class="indexterm" href="winbind.html#id419308">NSS Winbind on AIX</a></dt><dt>authentication regime, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>authentication reply, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a></dt><dt>authentication server, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>authentication service, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>authentication system, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>authenticatior, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>authoritative, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>authoritive, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>authorization, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a></dt><dt>auto-reconnect, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>autogen.sh, <a class="indexterm" href="compiling.html#id449722">Building the Binaries</a></dt><dt>autogenerated printcap, <a class="indexterm" href="classicalprinting.html#id392119">Default UNIX System Printing Commands</a></dt><dt>automatic account creation, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>automatic mapping, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>automatic reconnects, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>automatic redundancy, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>autopoweruser.sh, <a class="indexterm" href="NetCommand.html#id369374">Managing Nest Groups on Workstations from the Samba Server</a></dt><dt>autotyping, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>AUXILIARY, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>auxiliary members, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>availability, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a>, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>available, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>available port, <a class="indexterm" href="classicalprinting.html#id397860">Samba and Printer Ports</a></dt><dt>available printerd, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>available rights, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>average print run, <a class="indexterm" href="CUPS-printing.html#id400541">Advanced Intelligent Printing with PostScript Driver Download</a></dt></dl></div><div class="indexdiv"><h3>B</h3><dl><dt>b-node, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>back up, <a class="indexterm" href="winbind.html#id418709">Requirements</a></dt><dt>backed up, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>backend, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>backend authentication, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>backend database, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>backend failures, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>backend file system pool, <a class="indexterm" href="SambaHA.html#id435168">Restrictive Constraints on Distributed File Systems</a></dt><dt>backends, <a class="indexterm" href="ChangeNotes.html#id349400">Passdb Changes</a>, <a class="indexterm" href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></dt><dt>backup, <a class="indexterm" href="Backup.html#id433904">Features and Benefits</a>, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a>, <a class="indexterm" href="tdb.html#id448693">Features and Benefits</a></dt><dt>backup domain controller, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>backup solution, <a class="indexterm" href="Backup.html#id433944">Discussion of Backup Solutions</a></dt><dt>BackupPC, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>bad hardware, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>bad logon attempts, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a></dt><dt>Bad networking hardware, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>bad password, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>banner pages, <a class="indexterm" href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a>, <a class="indexterm" href="CUPS-printing.html#id407647">Run cupsaddsmb (Quiet Mode)</a></dt><dt>barriers, <a class="indexterm" href="securing-samba.html#id385260">Introduction</a></dt><dt>Batch Oplock, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>BDC, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="samba-bdc.html#id338300">Active Directory Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="idmapper.html#id374021">Backup Domain Controller</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a></dt><dt>BDCs, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>behavior approximately same, <a class="indexterm" href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></dt><dt>between domains, <a class="indexterm" href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></dt><dt>bias, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>binary format TDB, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>BIND, <a class="indexterm" href="DNSDHCP.html#id454402">Dynamic DNS</a></dt><dt>bind interfaces only, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>BIND9, <a class="indexterm" href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt><dt>BIND9.NET, <a class="indexterm" href="DNSDHCP.html#id454166">Features and Benefits</a></dt><dt>bindery-enabled, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>block device, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>block incoming packets, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>BOBS, <a class="indexterm" href="Backup.html#id434397">BOBS: Browseable Online Backup System</a></dt><dt>bogus, <a class="indexterm" href="ServerType.html#id332151">Example Configuration</a></dt><dt>boot disk, <a class="indexterm" href="winbind.html#id418709">Requirements</a></dt><dt>bridge, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>bridges networks, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>brlock.tdb, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>broadcast, <a class="indexterm" href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>broadcast address, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>broadcast isolated subnet, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>broadcast messages, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>broadcast messaging, <a class="indexterm" href="samba-bdc.html#id338437">How Does a Workstation find its Domain Controller?</a></dt><dt>Broadcast node, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>broadcast request, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>broadcast traffic, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>broadcast-based, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>broadcast-based name resolution, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>broadcasts, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>browse across subnet, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>browse list, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>browse list handling, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a></dt><dt>browse list maintainers, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>browse list management, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a></dt><dt>browse lists, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>browse resources, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a></dt><dt>browse server resources, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a></dt><dt>browse shares, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></dt><dt>browse.dat, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a></dt><dt>browseable, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt><dt>browser election, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>browser elections, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>BrowseShortNames, <a class="indexterm" href="CUPS-printing.html#id414413">Print Queue Called “lp” Mishandles Print Jobs</a></dt><dt>browsing, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a>, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a></dt><dt>browsing across subnets, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>browsing another subnet, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a></dt><dt>browsing intrinsics, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>browsing problems, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a>, <a class="indexterm" href="NetworkBrowsing.html#id356151">Common Errors</a>, <a class="indexterm" href="NetworkBrowsing.html#id356285">I Get an "Unable to browse the network" Error</a></dt><dt>BSD, <a class="indexterm" href="samba-pdc.html#id336359">“$” Cannot Be Included in Machine Name</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>BSD Printing, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>BSD-style printing, <a class="indexterm" href="classicalprinting.html#id390291">Extended Printing Configuration</a></dt><dt>bug report, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>bug reports, <a class="indexterm" href="bugreport.html#id447883">Introduction</a></dt><dt>Bugzilla, <a class="indexterm" href="bugreport.html#id447883">Introduction</a></dt><dt>built-in commands, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>bypasses privilege, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>byte ranges, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>byte-range lock, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>byte-range locking, <a class="indexterm" href="locking.html#id383174">Discussion</a>, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt></dl></div><div class="indexdiv"><h3>C</h3><dl><dt>c:\winnt\inf, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>C:\WinNT\System32\config, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>cached</dt><dd><dl><dt>password, <a class="indexterm" href="ServerType.html#id332239">Password Checking</a></dt></dl></dd><dt>cached encrypted password, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>cached in memory, <a class="indexterm" href="passdb.html#id358119">Advantages of Non-Encrypted Passwords</a></dt><dt>cached local file, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>cached locally, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>cached references, <a class="indexterm" href="NetworkBrowsing.html#id356510">Invalid Cached Share References Affects Network Browsing</a></dt><dt>caching, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>caching reads, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>caching scheme, <a class="indexterm" href="winbind.html#id418546">Result Caching</a></dt><dt>caching writes, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>called name, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a></dt><dt>cannot join domain, <a class="indexterm" href="ClientConfig.html#id348714">Common Errors</a></dt><dt>canonicalize files, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>CAP, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a>, <a class="indexterm" href="Other-Clients.html#id451283">Macintosh Clients</a></dt><dt>cap-share, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>capability to delete, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>CAP_LINUX_IMMUTABLE, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>case options, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>case sensitivity, <a class="indexterm" href="pam.html#id428947">PAM Configuration Syntax</a></dt><dt>case-insensitive, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a>, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a>, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>case-preserving, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a></dt><dt>central environment, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>centralized</dt><dd><dl><dt>authentication, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt></dl></dd><dt>centralized identity management, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>centrally managed, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>certificate, <a class="indexterm" href="SWAT.html#id443982">Securing SWAT through SSL</a></dt><dt>Certificate Authority (see CA)</dt><dt>cfdisk, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>challenge/response mechanism, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>change capabilities, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a></dt><dt>change motivations, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>change password, <a class="indexterm" href="domain-member.html#id344013">Notes</a></dt><dt>change passwords, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a></dt><dt>changed parameters, <a class="indexterm" href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></dt><dt>changes password, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>character device, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>character set, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>character sets, <a class="indexterm" href="unicode.html#id432692">Samba and Charsets</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>charset, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>charset conversion, <a class="indexterm" href="unicode.html#id432818">Conversion from Old Names</a></dt><dt>chattr, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>check for locks, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>check logs, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>checksum-search, <a class="indexterm" href="Backup.html#id434193">Rsync</a></dt><dt>chmod, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>chown, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="AccessControls.html#id381286">Viewing File Ownership</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>chpass, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>CIFS, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>CIFS function calls, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>CIFS/SMB, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a>, <a class="indexterm" href="SambaHA.html#id434749">Why Is This So Hard?</a></dt><dt>Citrix, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>clear purpose preferred, <a class="indexterm" href="Backup.html#id433944">Discussion of Backup Solutions</a></dt><dt>clear-text, <a class="indexterm" href="ServerType.html#id332239">Password Checking</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>clear-text passwords, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>Client for Microsoft Networks, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Client for Novell Networks, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>client instructions, <a class="indexterm" href="ClientConfig.html#id345986">Features and Benefits</a></dt><dt>client-server mode, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a></dt><dt>client-side caching, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>client-side data caching, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a>, <a class="indexterm" href="locking.html#id384012">PDM Data Shares</a></dt><dt>clock skew, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>cluster, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>cluster servers, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a></dt><dt>clustered file server, <a class="indexterm" href="SambaHA.html#id434627">The Ultimate Goal</a></dt><dt>Clustered smbds, <a class="indexterm" href="SambaHA.html#id435235">Server Pool Communications</a></dt><dt>clustering technologies, <a class="indexterm" href="SambaHA.html#id434627">The Ultimate Goal</a></dt><dt>cluttering, <a class="indexterm" href="bugreport.html#id448181">Debugging-Specific Operations</a></dt><dt>cmd, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a>, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>cmd shell, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>CN, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>code maintainer, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>codepages, <a class="indexterm" href="unicode.html#id432528">Features and Benefits</a></dt><dt>collating, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></dt><dt>collisions, <a class="indexterm" href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>color, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>COM1:, <a class="indexterm" href="classicalprinting.html#id397860">Samba and Printer Ports</a></dt><dt>command-line, <a class="indexterm" href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>command-line utility, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>commenting out setting, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a></dt><dt>commercial Linux products, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>commercial support, <a class="indexterm" href="ch47.html">Samba Support</a>, <a class="indexterm" href="ch47.html#id454025">Commercial Support</a></dt><dt>commit the settings, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>Common Internet Filesystem (see CIFS)</dt><dt>Common restrictions, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>Common UNIX Printing System (see CUPS)</dt><dt>common.adm, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>comp.protocols.smb, <a class="indexterm" href="bugreport.html#id447883">Introduction</a></dt><dt>compatible, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="Portability.html">Portability</a></dt><dt>compile, <a class="indexterm" href="install.html#id324258">Obtaining and Installing Samba</a></dt><dt>compile-time options, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a></dt><dt>complex file name space, <a class="indexterm" href="SambaHA.html#id435417">A Simple Solution</a></dt><dt>complex organization, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>complexity, <a class="indexterm" href="StandAloneServer.html#id344984">Example Configuration</a></dt><dt>compliance, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>complicated, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>complicated problem, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>comprehensive documentation, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>Computer Account, <a class="indexterm" href="domain-member.html#id341570">Windows NT4 Client</a></dt><dt>computer account, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>computer accounts, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>Computer Management, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a>, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a></dt><dt>Computer Name, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>computer name, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></dt><dt>concurrent access, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>Conectiva, <a class="indexterm" href="CUPS-printing.html#id411425">Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</a></dt><dt>config.cache, <a class="indexterm" href="domain-member.html#id343732">Possible Errors</a></dt><dt>CONFIG.POL, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>Config.POL, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a></dt><dt>configuration</dt><dd><dl><dt>documentation, <a class="indexterm" href="install.html#id325571">Test Your Config File with testparm</a></dt></dl></dd><dt>Configuration, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>configuration files, <a class="indexterm" href="SWAT.html#id443273">Features and Benefits</a></dt><dt>configuration problem, <a class="indexterm" href="bugreport.html#id447883">Introduction</a></dt><dt>configuration syntax, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>configuration techniques, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>configuration too complex, <a class="indexterm" href="StandAloneServer.html#id345921">Common Errors</a></dt><dt>configuration tool, <a class="indexterm" href="SWAT.html">SWAT: The Samba Web Administration Tool</a></dt><dt>configuration wizard, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>configure, <a class="indexterm" href="compiling.html#id449722">Building the Binaries</a></dt><dt>configuring a firewall, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>confirm address, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>confirm the password, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></dt><dt>confirm the trust, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>connect transparently, <a class="indexterm" href="SambaHA.html#id434627">The Ultimate Goal</a></dt><dt>connection resources, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a></dt><dt>connections, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>connections.tdb, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>consistent case, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>console, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>consumer expects, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>container, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>continuity of service, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>contribute, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>Control Panel, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>controls, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>convert</dt><dd><dl><dt>domain member server, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt></dl></dd><dt>converted, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a></dt><dt>copy'n'paste, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>core files, <a class="indexterm" href="bugreport.html#id448377">Internal Errors</a></dt><dt>core graphic engine, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a></dt><dt>core values, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>corrupted, <a class="indexterm" href="tdb.html#id448693">Features and Benefits</a></dt><dt>corrupted file, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>cosine.schema, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>country of origin, <a class="indexterm" href="ch47.html#id454025">Commercial Support</a></dt><dt>CP850, <a class="indexterm" href="unicode.html#id432692">Samba and Charsets</a></dt><dt>CP932, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>cracker, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>create, <a class="indexterm" href="AccessControls.html#id379000">Managing Directories</a></dt><dt>Create a Computer Account, <a class="indexterm" href="domain-member.html#id341570">Windows NT4 Client</a></dt><dt>create a domain machine account, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>create domain member, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a></dt><dt>create machine trust account, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>create partition, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>Create the Computer Account, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>create user accounts, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a></dt><dt>create volume, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>credentials, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a>, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>credentials validation, <a class="indexterm" href="samba-bdc.html#id338488">NetBIOS Over TCP/IP Enabled</a></dt><dt>critical aspects of configuration, <a class="indexterm" href="ClientConfig.html#id345986">Features and Benefits</a></dt><dt>crle, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>cron, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></dt><dt>cross post, <a class="indexterm" href="problems.html#id447602">Getting Mailing List Help</a></dt><dt>cross-segment browsing, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>cross-subnet browsing, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>CUPS, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a>, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a>, <a class="indexterm" href="classicalprinting.html#id390291">Extended Printing Configuration</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a>, <a class="indexterm" href="CUPS-printing.html#id398815">Features and Benefits</a>, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a>, <a class="indexterm" href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a>, <a class="indexterm" href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a></dt><dd><dl><dt>Page Accounting, <a class="indexterm" href="CUPS-printing.html#id412022">Page Accounting with CUPS</a></dt><dt>quotas, <a class="indexterm" href="CUPS-printing.html#id412052">Setting Up Quotas</a></dt></dl></dd><dt>CUPS API, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a>, <a class="indexterm" href="classicalprinting.html#id392119">Default UNIX System Printing Commands</a></dt><dt>CUPS backends, <a class="indexterm" href="CUPS-printing.html#id403411">CUPS Backends</a></dt><dt>CUPS filtering, <a class="indexterm" href="CUPS-printing.html#id401523">CUPS Also Uses PPDs for Non-PostScript Printers</a>, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></dt><dt>CUPS filtering chain, <a class="indexterm" href="CUPS-printing.html#id403411">CUPS Backends</a></dt><dt>CUPS libarary API, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>CUPS PostScript, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a></dt><dt>CUPS PostScript driver, <a class="indexterm" href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>CUPS print filters, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>CUPS raster, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a></dt><dt>CUPS-PPD, <a class="indexterm" href="CUPS-printing.html#id411086">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>cups.hlp, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a></dt><dt>cupsaddsmb, <a class="indexterm" href="CUPS-printing.html#id400430">Driver Upload Methods</a>, <a class="indexterm" href="CUPS-printing.html#id406400">cupsaddsmb: The Unknown Utility</a>, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a>, <a class="indexterm" href="CUPS-printing.html#id407647">Run cupsaddsmb (Quiet Mode)</a>, <a class="indexterm" href="CUPS-printing.html#id407782">Run cupsaddsmb with Verbose Output</a>, <a class="indexterm" href="CUPS-printing.html#id407885">Understanding cupsaddsmb</a>, <a class="indexterm" href="CUPS-printing.html#id408132">cupsaddsmb with a Samba PDC</a>, <a class="indexterm" href="CUPS-printing.html#id408209">cupsaddsmb Flowchart</a>, <a class="indexterm" href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a>, <a class="indexterm" href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a></dt><dt>cupsd.conf, <a class="indexterm" href="classicalprinting.html#id392119">Default UNIX System Printing Commands</a>, <a class="indexterm" href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a>, <a class="indexterm" href="CUPS-printing.html#id403945">mime.convs</a>, <a class="indexterm" href="CUPS-printing.html#id412700">Autodeletion or Preservation of CUPS Spool Files</a></dt><dt>cupsomatic, <a class="indexterm" href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a>, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a>, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a class="indexterm" href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a>, <a class="indexterm" href="CUPS-printing.html#id411086">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>custom scripts, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>customer expected, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>customers, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>customized print commands, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt></dl></div><div class="indexdiv"><h3>D</h3><dl><dt>daemon, <a class="indexterm" href="install.html#id325180">Starting Samba</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="winbind.html#id418709">Requirements</a>, <a class="indexterm" href="compiling.html#id450403">Alternative: Starting smbd as a Daemon</a></dt><dt>daemon running, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>daemons, <a class="indexterm" href="winbind.html#id420456">Restarting</a></dt><dt>damaged data, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>data caching, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>data corruption, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a>, <a class="indexterm" href="locking.html#id383903">UNIX or NFS Client-Accessed Files</a></dt><dt>data interchange, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>data stream, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>database, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></dt><dt>DatabaseFS, <a class="indexterm" href="VFS.html#id416949">DatabaseFS</a></dt><dt>DAVE, <a class="indexterm" href="Other-Clients.html#id451283">Macintosh Clients</a></dt><dt>dbx, <a class="indexterm" href="bugreport.html#id448377">Internal Errors</a></dt><dt>DCE RPC, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>DDK, <a class="indexterm" href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a>, <a class="indexterm" href="CUPS-printing.html#id406765">CUPS “PostScript Driver for Windows NT/200x/XP”</a></dt><dt>DDNS, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a>, <a class="indexterm" href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a>, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a></dt><dt>de-multiplex, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a></dt><dt>de-multiplexing, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>Debian, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>Debian Sarge, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>debug, <a class="indexterm" href="bugreport.html#id448377">Internal Errors</a></dt><dt>debug level, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a>, <a class="indexterm" href="bugreport.html#dbglvl">Debug Levels</a></dt><dt>debugging, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a>, <a class="indexterm" href="bugreport.html#id448181">Debugging-Specific Operations</a></dt><dt>debugging passwords, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>debugging problems, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>dedicated heartbeat, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>dedicated print server, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>default accounts, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>default aliases, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></dt><dt>default behavior, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>default devmode, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>default DNS setup, <a class="indexterm" href="domain-member.html#id344013">Notes</a></dt><dt>default gateways, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>default groups, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></dt><dt>default mapping, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a></dt><dt>default mappings, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>default print command, <a class="indexterm" href="classicalprinting.html#id392119">Default UNIX System Printing Commands</a></dt><dt>default print commands, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>default printer, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>default printing, <a class="indexterm" href="CUPS-printing.html#id398815">Features and Benefits</a></dt><dt>default profile, <a class="indexterm" href="ProfileMgmt.html#id426613">Default Profile for Windows Users</a>, <a class="indexterm" href="ProfileMgmt.html#id427978">Changing the Default Profile</a></dt><dt>default settings, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>default shells, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>Default User, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></dt><dt>default users, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></dt><dt>defective hardware, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>deferred open, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>defined shares, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></dt><dt>delegate administrative privileges, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>delegated, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a></dt><dt>delegation, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>delete, <a class="indexterm" href="AccessControls.html#id379000">Managing Directories</a></dt><dt>delete a file, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>delete roaming profiles, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></dt><dt>delete user script, <a class="indexterm" href="passdb.html#id360908">Deleting Accounts</a></dt><dt>deleted files, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>deleted parameters, <a class="indexterm" href="upgrading-to-3.0.html#id439226">Removed Parameters</a></dt><dt>delmem, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>demote, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>demoted, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>denial of service, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>deny, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></dt><dt>deny access, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>deny modes, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>deny-none, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>DENY_ALL, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>DENY_DOS, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>DENY_FCB, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>DENY_NONE, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>DENY_READ, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>DENY_WRITE, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>deployment, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>deployment guidelines, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>DES-CBC-CRC, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>DES-CBC-MD5, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>desirable solution, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>desktop cache, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>desktop profile, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>desktop profiles, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>deterents, <a class="indexterm" href="securing-samba.html#id385260">Introduction</a></dt><dt>development libraries, <a class="indexterm" href="winbind.html#id418709">Requirements</a></dt><dt>devfsd package, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>device mode, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>device-specific commands, <a class="indexterm" href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>DFS, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a> (see MS-DFS, Distributed File Systems)</dt><dt>DFS junction, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>DFS links, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>DFS root, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>DFS server, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>DFS tree, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>DFS-aware, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>DFS-aware clients, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>DHCP, <a class="indexterm" href="ClientConfig.html#id346080">TCP/IP Configuration</a>, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a>, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a>, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a>, <a class="indexterm" href="DNSDHCP.html#id454166">Features and Benefits</a></dt><dt>DHCP servers, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>DHCP-enabled, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>DHCP-enabled operation, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>diagnostic, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></dt><dt>diagnostic tools, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>diff, <a class="indexterm" href="bugreport.html#id448614">Patches</a></dt><dt>differences, <a class="indexterm" href="Backup.html#id434193">Rsync</a></dt><dt>different resources, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>differently encrypted passwords, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a></dt><dt>differing protocol, <a class="indexterm" href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></dt><dt>dir, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>direct internet access, <a class="indexterm" href="securing-samba.html#id385260">Introduction</a></dt><dt>directory, <a class="indexterm" href="samba-bdc.html#id338300">Active Directory Domain Control</a>, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="idmapper.html#id374021">Backup Domain Controller</a></dt><dt>directory access control, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>directory access permissions, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>directory controls, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>Directory Information Tree (see DIT)</dt><dt>directory permissions, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>directory schema, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>Directory Separators, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>directory server, <a class="indexterm" href="passdb.html#id362365">ldapsam</a></dt><dt>directory_mode, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>disable LMB, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>disable locking, <a class="indexterm" href="locking.html#id383088">Features and Benefits</a></dt><dt>disable roaming profiles, <a class="indexterm" href="ProfileMgmt.html#id424492">Disabling Roaming Profile Support</a></dt><dt>disabling oplocks, <a class="indexterm" href="locking.html#id384012">PDM Data Shares</a></dt><dt>disass, <a class="indexterm" href="bugreport.html#id448377">Internal Errors</a></dt><dt>disaster recovery, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>disconnect a connection, <a class="indexterm" href="ProfileMgmt.html#id424138">NT4/200x User Profiles</a></dt><dt>disk, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>disk space, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>disparate information systems, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>display PostScript, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>displayName, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>distort, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>distribute authentication systems, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>distributed, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>distributed account, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>Distributed Computing Environment (see DCE)</dt><dt>distributed directory, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>distributed file system, <a class="indexterm" href="SambaHA.html#id434627">The Ultimate Goal</a> (see DFS)</dt><dt>Distributed File Systems, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>distributed file systems, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>distributed locking protocol, <a class="indexterm" href="SambaHA.html#id435417">A Simple Solution</a></dt><dt>distribution, <a class="indexterm" href="install.html#id325348">Example Configuration</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>dithering algorithm, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>DMB, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a>, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>DMB for a workgroup, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a></dt><dt>DMC, <a class="indexterm" href="idmapper.html#id374087">Examples of IDMAP Backend Usage</a></dt><dt>DMS, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="idmapper.html#id374087">Examples of IDMAP Backend Usage</a>, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>DN, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>DNS, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id338437">How Does a Workstation find its Domain Controller?</a>, <a class="indexterm" href="samba-bdc.html#id338539">NetBIOS Over TCP/IP Disabled</a>, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a>, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a>, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a>, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a>, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a>, <a class="indexterm" href="integrate-ms-networks.html#id432113">DNS Lookup</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a>, <a class="indexterm" href="DNSDHCP.html#id454166">Features and Benefits</a>, <a class="indexterm" href="DNSDHCP.html#id454326">Example Configuration</a></dt><dd><dl><dt>Active Directory, <a class="indexterm" href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt><dt>Dynamic, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a>, <a class="indexterm" href="DNSDHCP.html#id454402">Dynamic DNS</a></dt><dt>SRV records, <a class="indexterm" href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt></dl></dd><dt>DNS Configuration, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>DNS lookup, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>DNS name resolution, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>dns proxy, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dt>DNS server, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>DNS server access, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dt>DNS server settings, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>DNS servers, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>DNS zon, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>DNS/LDAP/ADS, <a class="indexterm" href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a></dt><dt>document design, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>documentation, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="SWAT.html#id443273">Features and Benefits</a>, <a class="indexterm" href="problems.html">Analyzing and Solving Samba Problems</a></dt><dt>domain, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="passdb.html#id360831">Adding User Accounts</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dd><dl><dt>control, <a class="indexterm" href="ServerType.html#id330822">Server Types</a></dt><dd><dl><dt>role, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt></dl></dd><dt>controller, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a>, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="samba-pdc.html">Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dd><dl><dt>convert, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>hierarchy, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt></dl></dd><dt>controllers, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt><dt>groups, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dt>master</dt><dd><dl><dt>browser, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a></dt></dl></dd><dt>member, <a class="indexterm" href="ServerType.html#id330822">Server Types</a>, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dd><dl><dt>server, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a></dt></dl></dd><dt>member server, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dt>security, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt><dd><dl><dt>protocols, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt></dl></dd><dt>trust account, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt></dl></dd><dt>domain access, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>domain account access policies, <a class="indexterm" href="passdb.html#id361587">Domain Account Policy Managment</a></dt><dt>domain admin group, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>domain Administrator, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>Domain Admins, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a>, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>Domain Admins group, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a></dt><dt>domain authentication, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>domain context, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>domain control, <a class="indexterm" href="samba-pdc.html#id333870">Basics of Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="samba-bdc.html#id339500">Common Errors</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt>backup, <a class="indexterm" href="ServerType.html#id330822">Server Types</a></dt><dt>primary, <a class="indexterm" href="ServerType.html#id330822">Server Types</a></dt></dl></dd><dt>domain control database (see SAM)</dt><dt>domain controller, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="samba-bdc.html#id337275">Essential Background Information</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id338300">Active Directory Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id338488">NetBIOS Over TCP/IP Enabled</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a>, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a>, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a></dt><dt>Domain Controller, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a></dt><dt>domain controllers, <a class="indexterm" href="samba-pdc.html#id335523">Samba ADS Domain Control</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a>, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>domain environment, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>domain global, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>domain global group, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>domain global groups, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain global user, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>domain global users, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain group, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>domain group settings, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain groups, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></dt><dt>Domain Groups, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a></dt><dt>Domain Guests, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>domain information, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>domain join, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>domain joining, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>domain logon, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id335566">Domain and Network Logon Configuration</a>, <a class="indexterm" href="samba-pdc.html#id335583">Domain Network Logon Service</a>, <a class="indexterm" href="samba-bdc.html#id337727">Example PDC Configuration</a>, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>domain logon server, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>domain logons, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>domain management tools, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>domain master, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a></dt><dt>domain member, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="domain-member.html">Domain Membership</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="domain-member.html#id344280">Common Errors</a>, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>Domain Member, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dd><dl><dt>joining, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a></dt></dl></dd><dt>domain member client, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a></dt><dt>Domain Member Client (see DMC)</dt><dt>domain member server, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>Domain Member Server (see DMS)</dt><dt>domain member servers, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>domain member workstations, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>domain members, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="winbind.html#id418602">Introduction</a></dt><dt>domain membership, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="domain-member.html">Domain Membership</a></dt><dt>domain name, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Domain Name System (see DNS)</dt><dt>domain non-member, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a></dt><dt>domain policies, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>domain radio button, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>domain security, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="domain-member.html">Domain Membership</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a>, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></dt><dt>domain security account, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Domain Server Manager, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>domain SID, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>domain trust, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>domain user, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>domain user accounts, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dt>domain user manager, <a class="indexterm" href="passdb.html#id360511">User Account Management</a></dt><dt>Domain User Manager, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a>, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>Domain Users, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>domain users, <a class="indexterm" href="winbind.html#id418709">Requirements</a>, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a>, <a class="indexterm" href="winbind.html#id421094">Conclusion</a></dt><dt>Domain Users group, <a class="indexterm" href="groupmapping.html#id367547">Adding Domain Users to the Workstation Power Users Group</a></dt><dt>domain-level, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a></dt><dt>domain-level security, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>domain-wide browse list, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></dt><dt>DOMAIN<1B>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></dt><dt>DOMAIN<1C>, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></dt><dt>DOMAIN<1D>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></dt><dt>draft, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>Drive Identification, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>driver, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a></dt><dt>driver CDROM, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a></dt><dt>driver download, <a class="indexterm" href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></dt><dt>Driver File, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a></dt><dt>driver files, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a></dt><dt>Driver Path, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a></dt><dt>dual-daemon winbindd, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>due diligence, <a class="indexterm" href="Backup.html#id433944">Discussion of Backup Solutions</a></dt><dt>duplex, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>duplex printing, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>duplicate, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt><dt>duplication of information, <a class="indexterm" href="winbind.html#id417589">Introduction</a></dt><dt>DVI, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a></dt><dt>Dynamic DNS (see DDNS)</dt><dt>Dynamic Host Configuration Protocol (see DHCP)</dt><dt>dynamic link loader, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>dynamic registration files, <a class="indexterm" href="DNSDHCP.html#id454402">Dynamic DNS</a></dt><dt>Dynamic SMB servers, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>dynamically loadable library modules, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt></dl></div><div class="indexdiv"><h3>E</h3><dl><dt>e-Directory, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>EAs, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>economically wise, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>eDirectory, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>editreg, <a class="indexterm" href="PolicyMgmt.html#id423630">Samba Editreg Toolset</a></dt><dt>efficient authentication, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>election, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>election criteria, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>election packet, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>election process, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>EMF, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a>, <a class="indexterm" href="CUPS-printing.html#id405549">From Windows Clients to an NT Print Server</a>, <a class="indexterm" href="CUPS-printing.html#id405672">Driver Execution on the Server</a></dt><dt>enables clients to print, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>enables NetBIOS over TCP/IP, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>encapsulating, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>encoding, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>encryped password, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>encrypted, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a>, <a class="indexterm" href="ServerType.html#id332239">Password Checking</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>encrypted password, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>encrypted passwords, <a class="indexterm" href="ServerType.html#id332239">Password Checking</a>, <a class="indexterm" href="passdb.html#id356961">Features and Benefits</a>, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a>, <a class="indexterm" href="ProfileMgmt.html#id426086">Profile Migration from Windows NT4/200x Server to Samba</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a></dt><dt>encrypted session, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>Encrypted SMB transport, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>encryption, <a class="indexterm" href="ServerType.html#id331998">Server Security (User Level Security)</a></dt><dt>encryption key, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a></dt><dt>encryption types, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#id344013">Notes</a></dt><dt>enforcing, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>English, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a>, <a class="indexterm" href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></dt><dt>Enhanced MetaFile (see EMF)</dt><dt>enterprise, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>enumdrivers, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a>, <a class="indexterm" href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></dt><dt>enumerate domain groups, <a class="indexterm" href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></dt><dt>enumerate domain users, <a class="indexterm" href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></dt><dt>EnumJobs(), <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>enumprinters, <a class="indexterm" href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></dt><dt>environment variables, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>EPM (see ESP meta packager)</dt><dt>Epson Stylus, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>Epson Stylus inkjet, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>equivalence, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>equivalent rights and privileges, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>error message, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="classicalprinting.html#id395292">Running rpcclient with adddriver</a></dt><dt>error messages, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dt>errors that can afflict, <a class="indexterm" href="ClientConfig.html#id348714">Common Errors</a></dt><dt>ESC/P, <a class="indexterm" href="CUPS-printing.html#id405672">Driver Execution on the Server</a></dt><dt>ESP, <a class="indexterm" href="CUPS-printing.html#id401205">Ghostscript: The Software RIP for Non-PostScript Printers</a></dt><dd><dl><dt>Ghostscript, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>meta packager, <a class="indexterm" href="CUPS-printing.html#id406765">CUPS “PostScript Driver for Windows NT/200x/XP”</a></dt><dt>Print Pro, <a class="indexterm" href="CUPS-printing.html#id405347">Sources of CUPS Drivers/PPDs</a>, <a class="indexterm" href="CUPS-printing.html#id407118">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></dt></dl></dd><dt>ESP Ghostscript, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></dt><dt>established, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>ethereal, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a>, <a class="indexterm" href="problems.html#id447073">Tcpdump</a>, <a class="indexterm" href="problems.html#id447122">Ethereal</a>, <a class="indexterm" href="problems.html#id447261">The Windows Network Monitor</a></dt><dt>Ethernet adapters, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>EUC-JP, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>eucJP-ms locale, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>Event Viewer, <a class="indexterm" href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></dt><dt>Everyone - Full Control, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a></dt><dt>Everyone group, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>EVMS, <a class="indexterm" href="VFS.html#id416094">shadow_copy</a></dt><dt>examples, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>examples/LDAP, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>execute, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>existing LDAP DIT, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>expands control abilities, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>expired password, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a></dt><dt>explicit trust, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>explicitly set, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a></dt><dt>exploit opportunities, <a class="indexterm" href="PolicyMgmt.html#id422418">Features and Benefits</a></dt><dt>exploitation, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>exported file system, <a class="indexterm" href="SambaHA.html#id435417">A Simple Solution</a></dt><dt>exposed, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>extd_audit module, <a class="indexterm" href="VFS.html#id415364">extd_audit</a></dt><dt>Extended Attributes, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>extended attributes, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>Extended BSD Printing, <a class="indexterm" href="classicalprinting.html#id390291">Extended Printing Configuration</a></dt><dt>extended characters, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>extended protocol, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></dt><dt>extended SAM, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>extra machine, <a class="indexterm" href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a></dt></dl></div><div class="indexdiv"><h3>F</h3><dl><dt>fail, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>failed join, <a class="indexterm" href="idmapper.html#id374170">NT4-Style Domains (Includes Samba Domains)</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a></dt><dt>failed logins, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>failover communication, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>failover process, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>failover servers, <a class="indexterm" href="SambaHA.html#id435417">A Simple Solution</a></dt><dt>fails, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>failure, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a></dt><dt>failure semantics, <a class="indexterm" href="SambaHA.html#id435366">Required Modifications to Samba</a></dt><dt>fake-permissions module, <a class="indexterm" href="ProfileMgmt.html#id426418">Mandatory Profiles</a></dt><dt>fake_permissions, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>fake_perms, <a class="indexterm" href="VFS.html#fakeperms">fake_perms</a>, <a class="indexterm" href="ProfileMgmt.html#id426418">Mandatory Profiles</a></dt><dt>fdisk, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>Federated Identity Management (see FIM)</dt><dt>federated organizations, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>federated-identity, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>Fiber Channel, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>fickle, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a></dt><dt>fid, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>file access permissions, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>File Naming Conventions, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>file ownership, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>File Service, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>file serving, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>File System, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dd><dl><dt>case sensitivity, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>feature comparison, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>UNIX, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>Windows, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd><dt>file system capabilities, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>FILE:, <a class="indexterm" href="classicalprinting.html#id397860">Samba and Printer Ports</a></dt><dt>filemanager, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a></dt><dt>filename mangling, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>filter, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>Filter Oplock, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>FilterLimit, <a class="indexterm" href="CUPS-printing.html#id403945">mime.convs</a></dt><dt>filters, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>FIM, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>firewall, <a class="indexterm" href="securing-samba.html#id385260">Introduction</a>, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>firewall active, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>firewall setups, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>fixed IP address, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>fixed IP addresses, <a class="indexterm" href="ClientConfig.html#id346080">TCP/IP Configuration</a></dt><dt>flush local locks, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>flush name cache, <a class="indexterm" href="NetworkBrowsing.html#id356175">Flushing the Samba NetBIOS Name Cache</a></dt><dt>foomatic, <a class="indexterm" href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a>, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a>, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a class="indexterm" href="CUPS-printing.html#id410895">foomatic-rip and Foomatic Explained</a>, <a class="indexterm" href="CUPS-printing.html#id411022">Foomatic's Strange Name</a></dt><dt>Foomatic database, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>Foomatic Printer, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>Foomatic tutorial, <a class="indexterm" href="CUPS-printing.html#id411224">The Grand Unification Achieved</a></dt><dt>foomatic-rip, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a>, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a class="indexterm" href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a>, <a class="indexterm" href="CUPS-printing.html#id410895">foomatic-rip and Foomatic Explained</a>, <a class="indexterm" href="CUPS-printing.html#id411224">The Grand Unification Achieved</a></dt><dt>Foomatic/cupsomatic, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>force an election, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>force election, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></dt><dt>forced synchronization, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>foreign domain, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>foreign SID, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a></dt><dt>foreign user, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a></dt><dt>forest, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>FQDN, <a class="indexterm" href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>framing error, <a class="indexterm" href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>free support, <a class="indexterm" href="ch47.html">Samba Support</a>, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>FreeBSD, <a class="indexterm" href="samba-pdc.html#id336359">“$” Cannot Be Included in Machine Name</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>freezing, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>French, <a class="indexterm" href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></dt><dt>front-end virtual server, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a>, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>frustrating experience, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></dt><dt>FTP, <a class="indexterm" href="passdb.html#id358119">Advantages of Non-Encrypted Passwords</a></dt><dt>ftp, <a class="indexterm" href="Backup.html#id434193">Rsync</a>, <a class="indexterm" href="compiling.html#id449526">Accessing the Samba Sources via rsync and ftp</a></dt><dt>ftp access, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>ftp service, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>ftp services, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>ftpd, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>full rights, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>functional components, <a class="indexterm" href="bugreport.html#id448181">Debugging-Specific Operations</a></dt><dt>functionality, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt></dl></div><div class="indexdiv"><h3>G</h3><dl><dt>gateway address, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>gcc, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a>, <a class="indexterm" href="Portability.html#id450764">HPUX</a></dt><dt>gdb, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a>, <a class="indexterm" href="bugreport.html#id448377">Internal Errors</a>, <a class="indexterm" href="bugreport.html#id448498">Attaching to a Running Process</a></dt><dt>GDI, <a class="indexterm" href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a>, <a class="indexterm" href="CUPS-printing.html#id405549">From Windows Clients to an NT Print Server</a>, <a class="indexterm" href="CUPS-printing.html#id405672">Driver Execution on the Server</a></dt><dt>general security service application programming interface (see GSSAPI)</dt><dt>generic PostScript, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>generic raster, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a></dt><dt>generic raster format, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></dt><dt>genlogon.pl, <a class="indexterm" href="AdvancedNetworkManagement.html#id422084">Network Logon Script Magic</a></dt><dt>Gentoo, <a class="indexterm" href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>Germany, <a class="indexterm" href="SambaHA.html#id434596">Technical Discussion</a></dt><dt>get, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>getdriver, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a>, <a class="indexterm" href="classicalprinting.html#id394988">Installing Driver Files into [print$]</a></dt><dt>getdriverdir, <a class="indexterm" href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></dt><dt>getent, <a class="indexterm" href="NetCommand.html#id368450">Adding or Creating a New Group</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>getent group demo, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>gethostbyname() function call, <a class="indexterm" href="NetworkBrowsing.html#id354520">Name Resolution Order</a></dt><dt>getpwnam, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>getpwnam() call, <a class="indexterm" href="upgrading-to-3.0.html#id440430">Changes in Behavior</a></dt><dt>GetSID.exe, <a class="indexterm" href="ProfileMgmt.html#id426358">Get SID</a></dt><dt>GhostScript, <a class="indexterm" href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a class="indexterm" href="CUPS-printing.html#id401205">Ghostscript: The Software RIP for Non-PostScript Printers</a></dt><dd><dl><dt>(see also PostScript)</dt></dl></dd><dt>Ghostscript, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dd><dl><dt>ESP (see ESP - GhostScript)</dt></dl></dd><dt>GID, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="ChangeNotes.html#id349400">Passdb Changes</a>, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>GID numbers, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>GID range, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>GIF, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>global print command, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>global right, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>global section, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>Global support, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>global-level, <a class="indexterm" href="classicalprinting.html#id389393">Printing-Related Configuration Parameters</a></dt><dt>GNOME, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>GNU Ghostscript, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a></dt><dt>GNU GPL, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>GNU tar, <a class="indexterm" href="Backup.html#id434353">Amanda</a></dt><dt>GNU/Linux, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>GPG, <a class="indexterm" href="compiling.html#id449593">Verifying Samba's PGP Signature</a></dt><dt>GPL, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>gpolmig.exe, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a></dt><dt>GPOs, <a class="indexterm" href="PolicyMgmt.html#id422418">Features and Benefits</a>, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423806">System Startup and Logon Processing Overview</a>, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></dt><dt>grace time, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a></dt><dt>grant rights, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>graphical objects, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>graphically illustrated client configuration, <a class="indexterm" href="ClientConfig.html#id345986">Features and Benefits</a></dt><dt>grayscale, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>greater scalability, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>greatest mistake, <a class="indexterm" href="StandAloneServer.html#id345921">Common Errors</a></dt><dt>grep, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>group, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dd><dl><dt>account, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>mapping, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt></dl></dd><dt>group account, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a>, <a class="indexterm" href="idmapper.html#id374021">Backup Domain Controller</a></dt><dt>group accounts, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a>, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="groupmapping.html#id365690">Warning: User Private Group Problems</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>group management, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dt>group mapping, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>group mappings, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a></dt><dt>group membership, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>group ownership, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>group permissions, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>Group Policies, <a class="indexterm" href="PolicyMgmt.html#id422418">Features and Benefits</a></dt><dt>group policies, <a class="indexterm" href="PolicyMgmt.html#id422418">Features and Benefits</a></dt><dt>group policy, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>Group Policy, <a class="indexterm" href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a></dt><dt>Group Policy Container (see GPC)</dt><dt>Group Policy Editor, <a class="indexterm" href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423706">Windows NT4/200x</a>, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>Group Policy Objects, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a> (see GPO)</dt><dt>group policy objects (see GPOs)</dt><dt>Group Policy Template (see GPT)</dt><dt>group privileges, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a></dt><dt>group profiles, <a class="indexterm" href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></dt><dt>group SID, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>groupadd, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="groupmapping.html#id367182">Sample smb.conf Add Group Script</a>, <a class="indexterm" href="groupmapping.html#id367467">Adding Groups Fails</a></dt><dt>groupadd limitations, <a class="indexterm" href="groupmapping.html#id367182">Sample smb.conf Add Group Script</a></dt><dt>groupdel, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a></dt><dt>groupmap, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>groupmod, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a></dt><dt>grouppol.inf, <a class="indexterm" href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a></dt><dt>groups, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a>, <a class="indexterm" href="PolicyMgmt.html#id422418">Features and Benefits</a></dt><dd><dl><dt>domain, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a></dt><dt>mapping, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a></dt><dt>nested, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt></dl></dd><dt>groups of users, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>growing, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>GSSAPI, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>gtklp, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>guest, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>guest account, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a>, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>GUI, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a></dt><dt>Gutenprint, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a>, <a class="indexterm" href="CUPS-printing.html#id411332">Driver Development Outside</a></dt></dl></div><div class="indexdiv"><h3>H</h3><dl><dt>h-node, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>harvesting password hashes, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>hashed password equivalent, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>headers files, <a class="indexterm" href="domain-member.html#id343732">Possible Errors</a></dt><dt>Heimdal, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>Heimdal kerberos, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></dt><dt>help, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>help command, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>heterogeneous computing, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>HEX, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a></dt><dt>hi-res photo, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>high availability, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>high order ports, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>high-availability, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>high-availability services, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>high-speed server interconnect, <a class="indexterm" href="SambaHA.html#id435417">A Simple Solution</a></dt><dt>higher availability, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>HKEY_CURRENT_USER, <a class="indexterm" href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a></dt><dt>HKEY_LOCAL_MACHINE, <a class="indexterm" href="PolicyMgmt.html#id422977">Registry Spoiling</a></dt><dt>holy grail, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>home directories, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>home directory, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>home directory template, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>home drive, <a class="indexterm" href="samba-bdc.html#id337727">Example PDC Configuration</a></dt><dt>host multiple servers, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>host security, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>host-based protection, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>hostname, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>hosts allow, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>hosts deny, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>house-keeping, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>HOWTO documents, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>HP JetDirect, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>HP Photosmart, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>HP-GL, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>HP-GL., <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a></dt><dt>hpgltops, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></dt><dt>HPIJS, <a class="indexterm" href="CUPS-printing.html#id411332">Driver Development Outside</a></dt><dt>HPUX, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>http, <a class="indexterm" href="Backup.html#id434193">Rsync</a></dt><dt>hybrid, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>Hybrid node, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt></dl></div><div class="indexdiv"><h3>I</h3><dl><dt>IANA, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a></dt><dt>ID mapping, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>ID mapping database, <a class="indexterm" href="winbind.html#id418479">User and Group ID Allocation</a></dt><dt>ID range, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a></dt><dt>IDEALX, <a class="indexterm" href="passdb.html#id362365">ldapsam</a></dt><dt>Identification, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>identify, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a></dt><dt>identity, <a class="indexterm" href="idmapper.html#id372854">Standalone Samba Server</a></dt><dt>identity information, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>identity management, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt>centralized, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt></dl></dd><dt>identity resolution, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>IDMAP, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372854">Standalone Samba Server</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a></dt><dt>idmap, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>idmap backend, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="upgrading-to-3.0.html#id441231">IdMap LDAP Support</a></dt><dt>IDMAP backend, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>idmap gid, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>idmap GID, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>IDMAP infrastructure, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>idmap uid, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>idmap UID, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>idmap_ad, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>idmap_ldap module, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>idmap_rid, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a></dt><dt>IETF, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a></dt><dt>ifconfig, <a class="indexterm" href="compiling.html#id450196">Starting from inetd.conf</a>, <a class="indexterm" href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>ignore connection, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>imagetoraster, <a class="indexterm" href="CUPS-printing.html#id403119">imagetops and imagetoraster</a></dt><dt>immutable, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>impersonate, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>implementing oplocks, <a class="indexterm" href="locking.html#id384149">Advanced Samba Oplocks Parameters</a></dt><dt>Implicit Classes, <a class="indexterm" href="CUPS-printing.html#id414413">Print Queue Called “lp” Mishandles Print Jobs</a></dt><dt>important announcements, <a class="indexterm" href="securing-samba.html#id386212">Upgrading Samba</a></dt><dt>Imprints, <a class="indexterm" href="classicalprinting.html#id397992">The Imprints Toolset</a></dt><dt>imprints, <a class="indexterm" href="CUPS-printing.html#id400430">Driver Upload Methods</a></dt><dt>include, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>independent, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>individual domain user, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>individual section, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>inetd, <a class="indexterm" href="SWAT.html#id443404">Validate SWAT Installation</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a>, <a class="indexterm" href="compiling.html#startingSamba">Starting the smbd nmbd and winbindd</a>, <a class="indexterm" href="compiling.html#id450196">Starting from inetd.conf</a></dt><dt>inetd.conf, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>inetorgperson.schema, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>inf file, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a></dt><dt>infrastructure, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a>, <a class="indexterm" href="winbind.html#id417805">Target Uses</a></dt><dt>inheritance, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>inherits rights, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a></dt><dt>initdb.ldif, <a class="indexterm" href="FastStart.html#id329639">The Primary Domain Controller</a></dt><dt>initGroups.sh, <a class="indexterm" href="FastStart.html#id328866">Example: Engineering Office</a>, <a class="indexterm" href="groupmapping.html#id367342">Script to Configure Group Mapping</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a></dt><dt>inktype, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>insecure, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a>, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a></dt><dt>inspire simplicity, <a class="indexterm" href="StandAloneServer.html#id344984">Example Configuration</a></dt><dt>inspired structure, <a class="indexterm" href="SambaHA.html#id434596">Technical Discussion</a></dt><dt>install drivers, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a>, <a class="indexterm" href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a></dt><dt>interactive help, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>interdomain</dt><dd><dl><dt>trust</dt><dd><dl><dt>account, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt></dl></dd><dt>trustrs, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a></dt></dl></dd><dt>interdomain connection, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></dt><dt>interdomain trust, <a class="indexterm" href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a>, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>interdomain trust accounts, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>interdomain trusts, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="InterdomainTrusts.html#id386823">Features and Benefits</a></dt><dt>Interdomain Trusts, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dd><dl><dt>Completing, <a class="indexterm" href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></dt><dt>creating, <a class="indexterm" href="InterdomainTrusts.html#id387144">Native MS Windows NT4 Trusts Configuration</a></dt><dt>Facilities, <a class="indexterm" href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></dt></dl></dd><dt>interface, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>interface scripts, <a class="indexterm" href="passdb.html#id360511">User Account Management</a></dt><dt>interface-based exclusion, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>interfaces, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>intermediate information, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>intermediate tools, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>internal ordering, <a class="indexterm" href="SWAT.html#id443273">Features and Benefits</a></dt><dt>internationalization support, <a class="indexterm" href="SWAT.html#id443386">Guidelines and Technical Tips</a></dt><dt>Internet, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a>, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>Internet Engineering Task Force (see IETF)</dt><dt>Internet Printing Protocol (see IPP)</dt><dt>Internet Protocol TCP/IP, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>Internetworking Packet Exchange (see IPX)</dt><dt>internetworking super daemon, <a class="indexterm" href="SWAT.html#id443273">Features and Benefits</a></dt><dt>interoperability, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="SambaHA.html#id435168">Restrictive Constraints on Distributed File Systems</a></dt><dt>intolerance, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>invalid shell, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a></dt><dt>invalid users, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>IP address, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>IP address automatically, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>IP addresses, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a></dt><dt>IP aliases, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>IPC$, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a>, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></dt><dt>IPC$ connections, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a></dt><dt>ipchains, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>ipconfig, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a></dt><dt>iPlanet, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>IPP, <a class="indexterm" href="CUPS-printing.html#id407885">Understanding cupsaddsmb</a></dt><dt>IPP client, <a class="indexterm" href="CUPS-printing.html#id413852">Administrator Cannot Install Printers for All Local Users</a></dt><dt>iptables, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>IPv6, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>IPX, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></dt><dt>IRC, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>IRIX, <a class="indexterm" href="VFS.html#id414746">Discussion</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>ISC</dt><dd><dl><dt>DHCP, <a class="indexterm" href="DNSDHCP.html#id454166">Features and Benefits</a></dt><dt>DNS, <a class="indexterm" href="DNSDHCP.html#id454166">Features and Benefits</a></dt></dl></dd><dt>ISC DHCP server, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>isolated workgroup, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>IXFR, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a></dt></dl></div><div class="indexdiv"><h3>J</h3><dl><dt>Japanese, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a>, <a class="indexterm" href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></dt><dt>Japanese locale, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>Japanese UNIX, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>Java, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>JIS X 0208, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a></dt><dt>join, <a class="indexterm" href="idmapper.html#id374170">NT4-Style Domains (Includes Samba Domains)</a></dt><dt>join client, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>join domain, <a class="indexterm" href="samba-pdc.html#id336454">Joining Domain Fails Because of Existing Machine Account</a></dt><dt>join the ADS domain, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>join the domain, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>join the machine, <a class="indexterm" href="domain-member.html#id341570">Windows NT4 Client</a></dt><dt>joined client, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Joined domain, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>joining, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>joining domain, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>joining the domain, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>JPEG, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt></dl></div><div class="indexdiv"><h3>K</h3><dl><dt>KB 129202, <a class="indexterm" href="locking.html#id385094">Additional Reading</a></dt><dt>KB 224992, <a class="indexterm" href="locking.html#id385094">Additional Reading</a></dt><dt>KB 296264, <a class="indexterm" href="locking.html#id385094">Additional Reading</a></dt><dt>KB 811492, <a class="indexterm" href="locking.html#id385065">Long Delays Deleting Files over Network with XP SP1</a></dt><dt>KB 812937, <a class="indexterm" href="locking.html#id385042">Problems Saving Files in MS Office on Windows XP</a></dt><dt>KDC, <a class="indexterm" href="domain-member.html#ads-member">Samba ADS Domain Membership</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>KDE, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>KDE konqueror, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>KDE session, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>KDEPrint, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a></dt><dt>kerberos, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a></dt><dt>Kerberos, <a class="indexterm" href="domain-member.html#ads-member">Samba ADS Domain Membership</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#id343732">Possible Errors</a>, <a class="indexterm" href="domain-member.html#ads-test-smbclient">Testing with smbclient</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="winbind.html#id418082">Microsoft Active Directory Services</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a></dt><dd><dl><dt>/etc/krb5.conf, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt></dl></dd><dt>Kerberos authentication, <a class="indexterm" href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt>killall, <a class="indexterm" href="compiling.html#id450196">Starting from inetd.conf</a></dt><dt>kinit, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a class="indexterm" href="domain-member.html#id343732">Possible Errors</a></dt><dt>kixstart, <a class="indexterm" href="NT4Migration.html#id442139">Logon Scripts</a></dt><dt>kprinter, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>KRB, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a></dt><dt>KRB5, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>krb5.conf, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt></dl></div><div class="indexdiv"><h3>L</h3><dl><dt>LAN, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a>, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a>, <a class="indexterm" href="problems.html#id446780">Diagnostics Tools</a></dt><dt>LanMan, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id337275">Essential Background Information</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>LanMan logon service, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a></dt><dt>LanMan passwords, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></dt><dt>LanManager, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a>, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>LanManager-compatible, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></dt><dt>LanManger password, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a></dt><dt>laptops, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>large directory, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>large domain, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a></dt><dt>large numbers of files, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>large organizations, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>last change time, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a></dt><dt>latency, <a class="indexterm" href="locking.html#id383934">Slow and/or Unreliable Networks</a></dt><dt>laws, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>LCT (see last change time)</dt><dt>LDAP, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a>, <a class="indexterm" href="samba-bdc.html#id339736">Can I Do This All with LDAP?</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a>, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a>, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#id362365">ldapsam</a>, <a class="indexterm" href="passdb.html#id362595">Supported LDAP Servers</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a>, <a class="indexterm" href="passdb.html#id363272">Configuring Samba</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374021">Backup Domain Controller</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="InterdomainTrusts.html#id386823">Features and Benefits</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a class="indexterm" href="winbind.html#id418082">Microsoft Active Directory Services</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dd><dl><dt>directories, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>master, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt><dt>server, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt><dt>slave, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt></dl></dd><dt>LDAP administration password, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></dt><dt>LDAP administrative password, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>LDAP backend, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></dt><dt>LDAP backends, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>LDAP database, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>LDAP deployment, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>LDAP directory, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a>, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a class="indexterm" href="passdb.html#id362365">ldapsam</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>ldap group suffix, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a>, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>LDAP idmap Backend, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>ldap idmap suffix, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a>, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>ldap machine suffix, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>LDAP queries, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>LDAP redirects, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>LDAP schema, <a class="indexterm" href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a></dt><dt>LDAP server, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>ldap suffix, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a>, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>ldap user suffix, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>LDAP-based, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>LDAP., <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></dt><dt>LDAP/Kerberos, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>LDAPS, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>ldapsam, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="passdb.html#id362365">ldapsam</a>, <a class="indexterm" href="passdb.html#id362595">Supported LDAP Servers</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a>, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>ldapsam_compat, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>ldapsearch, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>LDAPv3, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>ldconfig, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>ldd, <a class="indexterm" href="CUPS-printing.html#id399084">Linking smbd with libcups.so</a></dt><dt>LDIF, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>LDIF file, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a></dt><dt>legacy systems, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>legal UNIX system account name, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>Level1 Oplock, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>Level1 oplock, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>Level2 Oplock, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>LGPL, <a class="indexterm" href="passdb.html#id362365">ldapsam</a></dt><dt>libcups, <a class="indexterm" href="classicalprinting.html#id392119">Default UNIX System Printing Commands</a>, <a class="indexterm" href="CUPS-printing.html#id399084">Linking smbd with libcups.so</a></dt><dt>libcups.so, <a class="indexterm" href="CUPS-printing.html#id399084">Linking smbd with libcups.so</a></dt><dt>libcups.so.2, <a class="indexterm" href="CUPS-printing.html#id399084">Linking smbd with libcups.so</a></dt><dt>Liberty Alliance, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>libiconv, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>libnss_winbind, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>libnss_winbind.so, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a>, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>libnss_wins.so, <a class="indexterm" href="integrate-ms-networks.html#id431397">/etc/nsswitch.conf</a></dt><dt>libraries, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>Licence, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>licensing, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>limit, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>limitations, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>linewidth, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>link loader configuration, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>Links</dt><dd><dl><dt>hard, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>soft, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd><dt>Linux, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>Linux High Availability project, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>Linux LVM, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>Linux LVM partition, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>LinuxKongress2002, <a class="indexterm" href="CUPS-printing.html#id411224">The Grand Unification Achieved</a></dt><dt>Linuxprinting.org, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a>, <a class="indexterm" href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a>, <a class="indexterm" href="CUPS-printing.html#id411332">Driver Development Outside</a></dt><dt>list of domain controllers, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>listen for connections, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>listen own socket, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>LLC, <a class="indexterm" href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a></dt><dt>LM/NT password hashes, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>LMB, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id353486">Use of the Remote Browse Sync Parameter</a>, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a>, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a>, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a> (see Local Master Browser)</dt><dt>LMHOSTS, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="integrate-ms-networks.html#id431980">The LMHOSTS File</a></dt><dt>lmhosts, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></dt><dt>load balancing, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>loaded modules, <a class="indexterm" href="VFS.html#id414711">Features and Benefits</a></dt><dt>loading printer drivers, <a class="indexterm" href="classicalprinting.html#id391779">Any [my_printer_name] Section</a></dt><dt>local</dt><dd><dl><dt>groups, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dt>master</dt><dd><dl><dt>browser, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a></dt></dl></dd></dl></dd><dt>local access permissions, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>local accounts, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>local administrative privileges, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>Local Area Connection, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>Local Area Connection Properties, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>local authentication, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a></dt><dt>local authentication database, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a></dt><dt>local cache, <a class="indexterm" href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></dt><dt>local disk, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>local domain, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a></dt><dt>local group, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>local groups, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>Local Machine Trust Account, <a class="indexterm" href="samba-bdc.html#id339540">Machine Accounts Keep Expiring</a></dt><dt>Local Master Browser, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id353357">Use of the Remote Announce Parameter</a></dt><dt>local master browser (see LMB)</dt><dt>local names, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>local print driver, <a class="indexterm" href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></dt><dt>local profile, <a class="indexterm" href="ProfileMgmt.html#id424492">Disabling Roaming Profile Support</a>, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>local profiles, <a class="indexterm" href="ProfileMgmt.html#id424037">Features and Benefits</a></dt><dt>local registry values, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></dt><dt>Local security policies, <a class="indexterm" href="CUPS-printing.html#id413821">Windows 200x/XP Local Security Policies</a></dt><dt>local smbpasswd file, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a></dt><dt>local spool area, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>local subnet, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>local system printing, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>local UNIX groups, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>local user, <a class="indexterm" href="idmapper.html#id372854">Standalone Samba Server</a>, <a class="indexterm" href="winbind.html#id420456">Restarting</a></dt><dt>local user account, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>local users, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>locale, <a class="indexterm" href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></dt><dt>localhost, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a></dt><dt>locally known UID, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>locate domain controller, <a class="indexterm" href="samba-bdc.html#id338437">How Does a Workstation find its Domain Controller?</a></dt><dt>Lock caching, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>lock directory, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>lock password, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>lock the account, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a></dt><dt>locking, <a class="indexterm" href="locking.html">File and Record Locking</a>, <a class="indexterm" href="locking.html#id383088">Features and Benefits</a>, <a class="indexterm" href="locking.html#id383174">Discussion</a>, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>locking protocol, <a class="indexterm" href="locking.html#id383088">Features and Benefits</a></dt><dt>locking semantics, <a class="indexterm" href="locking.html#id383088">Features and Benefits</a>, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>locking.tdb, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>lockout, <a class="indexterm" href="ServerType.html#id332151">Example Configuration</a></dt><dt>log files, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dd><dl><dt>monitoring, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt></dl></dd><dt>log level, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a>, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a>, <a class="indexterm" href="bugreport.html#dbglvl">Debug Levels</a></dt><dt>log.nmbd, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>logging, <a class="indexterm" href="VFS.html#id415517">Configuration of Auditing</a>, <a class="indexterm" href="bugreport.html#id448181">Debugging-Specific Operations</a></dt><dt>logical directories, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>Logical Link Control (see LLC)</dt><dt>logical volume, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>Logical Volume Manager (see LVM)</dt><dt>Login, <a class="indexterm" href="passdb.html#id358119">Advantages of Non-Encrypted Passwords</a></dt><dt>login, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>login id, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a></dt><dt>login name, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>login shells, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>LoginID, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>logon, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt><dt>logon authentication, <a class="indexterm" href="samba-bdc.html#id338539">NetBIOS Over TCP/IP Disabled</a></dt><dt>logon drive, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>logon home, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="ProfileMgmt.html#id424269">Windows 9x/Me User Profiles</a></dt><dt>logon name, <a class="indexterm" href="NetCommand.html#id369950">User Mapping</a></dt><dt>logon path, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>logon processing, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>logon requests, <a class="indexterm" href="samba-bdc.html#id337275">Essential Background Information</a>, <a class="indexterm" href="samba-bdc.html#id338488">NetBIOS Over TCP/IP Enabled</a>, <a class="indexterm" href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></dt><dt>logon script, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>Logon Scripts, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>Logon scripts, <a class="indexterm" href="NT4Migration.html#id442139">Logon Scripts</a></dt><dt>logon server, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a></dt><dt>logons, <a class="indexterm" href="ProfileMgmt.html#id424138">NT4/200x User Profiles</a></dt><dt>lookups, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>loopback adapter, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>loopback interface, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a>, <a class="indexterm" href="Portability.html#id451021">Red Hat Linux</a></dt><dt>lower-case, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a></dt><dt>lowercase filenames, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>lp, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a>, <a class="indexterm" href="CUPS-printing.html#id414413">Print Queue Called “lp” Mishandles Print Jobs</a></dt><dt>lpadmin, <a class="indexterm" href="CUPS-printing.html#id404006">“Raw” Printing</a>, <a class="indexterm" href="CUPS-printing.html#id405456">Printing with Interface Scripts</a>, <a class="indexterm" href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a>, <a class="indexterm" href="CUPS-printing.html#id412052">Setting Up Quotas</a></dt><dt>LPD, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>lpinfo, <a class="indexterm" href="CUPS-printing.html#id403411">CUPS Backends</a></dt><dt>lpq cache time, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>lpq command, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>LPRNG, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>lpstat, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a>, <a class="indexterm" href="CUPS-printing.html#id410123">Troubleshooting Revisited</a></dt><dt>LPT1:, <a class="indexterm" href="classicalprinting.html#id397860">Samba and Printer Ports</a></dt><dt>LsaEnumTrustedDomains, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>LTSP, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>Lustre, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>lvcreate, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>LVM, <a class="indexterm" href="VFS.html#id416094">shadow_copy</a>, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>LVM snapshots, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>LVM volume, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>lvm10 package, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt></dl></div><div class="indexdiv"><h3>M</h3><dl><dt>m-node, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>MAC address, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a></dt><dt>MAC Addresses, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a></dt><dt>Mac OS X , <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>machine, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></dt><dd><dl><dt>account, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt></dl></dd><dt>machine account, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>machine account password</dt><dd><dl><dt>change protocol, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt></dl></dd><dt>machine accounts, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>machine accounts database, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>machine authentication, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>machine name, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></dt><dt>Machine Policy Objects, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>machine SID, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>machine trust account, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="domain-member.html">Domain Membership</a>, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a class="indexterm" href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a></dt><dd><dl><dt>create privilege, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a></dt><dt>creation, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>password, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt></dl></dd><dt>Machine Trust Account, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341570">Windows NT4 Client</a></dt><dd><dl><dt>creation, <a class="indexterm" href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt>password, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>UNIX account, <a class="indexterm" href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></dt></dl></dd><dt>Machine Trust Accounts, <a class="indexterm" href="samba-bdc.html#id339540">Machine Accounts Keep Expiring</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt>creating, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt></dl></dd><dt>machine trust accounts, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a>, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a class="indexterm" href="domain-member.html#id344280">Common Errors</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>machine_name, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>machine_nickname, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>Macintosh, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>macros, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>mail, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>mailing list, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>mailing lists, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>maintaining ids, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>major changes, <a class="indexterm" href="upgrading-to-3.0.html#id440069">New Functionality</a></dt><dt>make, <a class="indexterm" href="integrate-ms-networks.html#id431397">/etc/nsswitch.conf</a>, <a class="indexterm" href="compiling.html#id449722">Building the Binaries</a></dt><dt>man, <a class="indexterm" href="SWAT.html#id443273">Features and Benefits</a></dt><dt>man page, <a class="indexterm" href="winbind.html#id419410">Configure smb.conf</a></dt><dt>man pages, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>man-in-the-middle, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>manage accounts, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>manage drivers, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>manage groups, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>manage printers, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>manage privileges, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a></dt><dt>manage roaming profiles, <a class="indexterm" href="ProfileMgmt.html#id424037">Features and Benefits</a></dt><dt>manage share permissions, <a class="indexterm" href="AccessControls.html#id380864">Windows NT4 Workstation/Server</a></dt><dt>manage share-level ACL, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>manage shares, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>manage users, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>manageability, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>Manageability, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>managed by humans, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>management bottleneck, <a class="indexterm" href="locking.html#id383974">Multiuser Databases</a></dt><dt>management costs, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>management overheads, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>management procedures, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>management tools, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>managing rights, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>mandatory profiles, <a class="indexterm" href="ProfileMgmt.html#id426418">Mandatory Profiles</a></dt><dt>Mandrake, <a class="indexterm" href="CUPS-printing.html#id411425">Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</a></dt><dt>Mandriva, <a class="indexterm" href="CUPS-printing.html#id411425">Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)</a></dt><dt>manual UNIX account creation, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>manual WINS server entries, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>manually configured, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>manually configured DNS settings, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>map, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="NT4Migration.html#id442241">User and Group Accounts</a></dt><dt>mapped, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>mapping, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>mapping home directory, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></dt><dt>mapping printer driver, <a class="indexterm" href="classicalprinting.html#id395790">Running rpcclient with setdriver</a></dt><dt>mappings, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>maps UNIX users and groups, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></dt><dt>master browser, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>master browsers, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>master server, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>master smb.conf, <a class="indexterm" href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a></dt><dt>MasterAnnouncement, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>match case, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>maximum value, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>mbd kept spawning, <a class="indexterm" href="speed.html#id452660">Corrupt tdb Files</a></dt><dt>Meccano set, <a class="indexterm" href="Backup.html#id433944">Discussion of Backup Solutions</a></dt><dt>mechanism, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>media type, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>member, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>member machine, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>memory, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>messages.tdb, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>messaging systems, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>Meta node, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>meta-directory, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>meta-service, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt><dt>meta-services, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>Microsoft Active Directory, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>Microsoft Developer Network CDs, <a class="indexterm" href="problems.html#id447261">The Windows Network Monitor</a></dt><dt>Microsoft driver, <a class="indexterm" href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a></dt><dt>Microsoft management console (see MMC)</dt><dt>Microsoft Remote Procedure Call (see MSRPC)</dt><dt>Microsoft Windows 9x/Me, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>Microsoft Wolfpack, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>middle-ware, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>migrate, <a class="indexterm" href="ServerType.html">Server Types and Security Modes</a>, <a class="indexterm" href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dt>migrate account settings, <a class="indexterm" href="NT4Migration.html#id442241">User and Group Accounts</a></dt><dt>migrate group, <a class="indexterm" href="NT4Migration.html#id442241">User and Group Accounts</a></dt><dt>migrate user, <a class="indexterm" href="NT4Migration.html#id442241">User and Group Accounts</a></dt><dt>migrating, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>migration, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>migration plan, <a class="indexterm" href="NT4Migration.html#id441392">Planning and Getting Started</a></dt><dt>migration process, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>MIME, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a>, <a class="indexterm" href="CUPS-printing.html#id402381">Filtering Overview</a>, <a class="indexterm" href="CUPS-printing.html#id404106">application/octet-stream Printing</a></dt><dd><dl><dt>filters, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>raw, <a class="indexterm" href="FastStart.html#id326962">Anonymous Print Server</a>, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a></dt></dl></dd><dt>MIME conversion rules, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></dt><dt>MIME recognition, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></dt><dt>MIME type, <a class="indexterm" href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a>, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a>, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id404106">application/octet-stream Printing</a></dt><dt>mime.types, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>minimal</dt><dd><dl><dt>configuration, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt></dl></dd><dt>minimal configuration, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt><dt>minimum security control, <a class="indexterm" href="StandAloneServer.html">Standalone Servers</a></dt><dt>misconfigurations, <a class="indexterm" href="install.html#id325571">Test Your Config File with testparm</a></dt><dt>misconfigured settings, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>misinformation, <a class="indexterm" href="domain-member.html">Domain Membership</a></dt><dt>mission-critical, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>MIT, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a></dt><dt>MIT kerberos, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a>, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></dt><dt>MIT Kerberos, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>mixed mode, <a class="indexterm" href="ServerType.html#id331866">ADS Security Mode (User-Level Security)</a>, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>mixed profile, <a class="indexterm" href="ProfileMgmt.html#id424419">Mixed Windows Windows 9x/Me and NT4/200x User Profiles</a></dt><dt>mkdir, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>mkfs.xfs, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>MMC, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a>, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a>, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423706">Windows NT4/200x</a>, <a class="indexterm" href="ProfileMgmt.html#id424492">Disabling Roaming Profile Support</a></dt><dt>MMC snap-in, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a></dt><dt>modem/ISDN, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>moderately secure, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>modprobe, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>module, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>modules, <a class="indexterm" href="VFS.html#id414711">Features and Benefits</a>, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>more than one protocol, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></dt><dt>mount, <a class="indexterm" href="ServerType.html#id331249">Share-Level Security</a>, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>mouse-over, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>moveuser.exe, <a class="indexterm" href="ProfileMgmt.html#id426318">moveuser.exe</a></dt><dt>MS DCE RPC, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>MS Windows 2000, <a class="indexterm" href="samba-bdc.html#id338300">Active Directory Domain Control</a></dt><dt>MS Windows NT4/200x, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>MS Windows SID, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>MS WINS, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a></dt><dt>MS-DFS, <a class="indexterm" href="SambaHA.html#id435618">MS-DFS: The Poor Man's Cluster</a></dt><dt>MS-RPC, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>MS-WINS replication, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>msdfs links, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>msg, <a class="indexterm" href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></dt><dt>msg file, <a class="indexterm" href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></dt><dt>MSRPC, <a class="indexterm" href="winbind.html#id418004">Microsoft Remote Procedure Calls</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>multibyte character sets, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>multibyte charsets, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>multiple backends, <a class="indexterm" href="passdb.html#id361852">Password Backends</a></dt><dt>multiple domains, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>multiple hosting, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>multiple modules, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>multiple network interfaces, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></dt><dt>multiple network segments, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>multiple personality, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>multiple server hosting, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>multiple server personalities, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>multiple servers, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>multiple universal naming convention provider (see MUP)</dt><dt>multiple VFS, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>multiple virtual servers, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>multiple Windows workgroups or domains, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>multiple WINS servers, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>Multiuser databases, <a class="indexterm" href="locking.html#id383974">Multiuser Databases</a></dt><dt>mutual assistance, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>mutually exclusive options, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a></dt><dt>My Network Places, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a>, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a></dt><dt>Myrinet, <a class="indexterm" href="SambaHA.html#id435316">Server Pool Communications Demands</a></dt></dl></div><div class="indexdiv"><h3>N</h3><dl><dt>n security context, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>n-memory buffer, <a class="indexterm" href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></dt><dt>name conflict, <a class="indexterm" href="classicalprinting.html#id391779">Any [my_printer_name] Section</a></dt><dt>name lookup, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></dt><dt>name lookups, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>name registration, <a class="indexterm" href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a></dt><dt>name resolution, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id356151">Common Errors</a>, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a>, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dt>name resolution across routed networks, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>name resolve order, <a class="indexterm" href="NetworkBrowsing.html#id354520">Name Resolution Order</a></dt><dt>name service switch (see NSS)</dt><dt>name-to-address, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></dt><dt>nameserv.h, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>name_type, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a>, <a class="indexterm" href="NetworkBrowsing.html#id354520">Name Resolution Order</a></dt><dt>native ACLs, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt><dt>native dump, <a class="indexterm" href="Backup.html#id434353">Amanda</a></dt><dt>native member, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>native mode, <a class="indexterm" href="ServerType.html#id331866">ADS Security Mode (User-Level Security)</a>, <a class="indexterm" href="winbind.html#id418082">Microsoft Active Directory Services</a></dt><dt>NBT, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></dt><dt>nbtstat, <a class="indexterm" href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a>, <a class="indexterm" href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></dt><dt>necessary rights, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>negotiate, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>negotiating the charset, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>nested group, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>Nested Group Support, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>nested groups, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></dt><dt>net, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a>, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a class="indexterm" href="NetCommand.html">Remote and Local Management: The Net Command</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="NetCommand.html#id368198">Administrative Tasks and Methods</a>, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a>, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dd><dl><dt>ads, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dd><dl><dt>join, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a>, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a>, <a class="indexterm" href="idmapper.html#id374447">ADS Domains</a></dt><dt>leave, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a></dt><dt>printer info, <a class="indexterm" href="NetCommand.html#id372165">Printers and ADS</a></dt><dt>printer publish, <a class="indexterm" href="NetCommand.html#id372165">Printers and ADS</a></dt><dt>printer remove, <a class="indexterm" href="NetCommand.html#id372165">Printers and ADS</a></dt><dt>printer search, <a class="indexterm" href="NetCommand.html#id372165">Printers and ADS</a></dt><dt>status, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a></dt><dt>testjoin, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a></dt></dl></dd><dt>getlocalsid, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>groupmap, <a class="indexterm" href="FastStart.html#id328866">Example: Engineering Office</a>, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="groupmapping.html#id367100">Example Configuration</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a></dt><dd><dl><dt>add, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>delete, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>list, <a class="indexterm" href="groupmapping.html#id367100">Example Configuration</a>, <a class="indexterm" href="NetCommand.html#id368450">Adding or Creating a New Group</a></dt><dt>modify, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt></dl></dd><dt>localgroup, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>rap, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dd><dl><dt>session, <a class="indexterm" href="NetCommand.html#id372105">Session and Connection Management</a></dt></dl></dd><dt>rpc, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a>, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dd><dl><dt>getsid, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>group, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="NetCommand.html#id368450">Adding or Creating a New Group</a></dt><dt>group add, <a class="indexterm" href="NetCommand.html#id368450">Adding or Creating a New Group</a></dt><dt>group addmem, <a class="indexterm" href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a>, <a class="indexterm" href="NetCommand.html#id369374">Managing Nest Groups on Workstations from the Samba Server</a></dt><dt>group delete, <a class="indexterm" href="NetCommand.html#id368910">Deleting a Group Account</a></dt><dt>group delmem, <a class="indexterm" href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></dt><dt>group list, <a class="indexterm" href="NetCommand.html#id368450">Adding or Creating a New Group</a></dt><dt>group members, <a class="indexterm" href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></dt><dt>group rename, <a class="indexterm" href="NetCommand.html#id368948">Rename Group Accounts</a></dt><dt>info, <a class="indexterm" href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a>, <a class="indexterm" href="ProfileMgmt.html#id426269">Side Bar Notes</a></dt><dt>join, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a></dt><dt>join bdc, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a></dt><dt>join member, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a></dt><dt>list, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>printer migrate drivers, <a class="indexterm" href="NetCommand.html#id371872">Printer Migration</a></dt><dt>printer migrate forms, <a class="indexterm" href="NetCommand.html#id371872">Printer Migration</a></dt><dt>printer migrate printers, <a class="indexterm" href="NetCommand.html#id371872">Printer Migration</a></dt><dt>printer migrate security, <a class="indexterm" href="NetCommand.html#id371872">Printer Migration</a></dt><dt>printer migrate settings, <a class="indexterm" href="NetCommand.html#id371872">Printer Migration</a></dt><dt>right list accounts, <a class="indexterm" href="NetCommand.html#id371426">Share Migration</a></dt><dt>rights grant, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>rights list, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>rights list accounts, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>share add, <a class="indexterm" href="NetCommand.html#id371140">Creating, Editing, and Removing Shares</a></dt><dt>share delete, <a class="indexterm" href="NetCommand.html#id371140">Creating, Editing, and Removing Shares</a></dt><dt>share migrate, <a class="indexterm" href="NetCommand.html#id371426">Share Migration</a></dt><dt>share migrate all, <a class="indexterm" href="NetCommand.html#id371818">Simultaneous Share and File Migration</a></dt><dt>share migrate files, <a class="indexterm" href="NetCommand.html#id371598">File and Directory Migration</a></dt><dt>share migrate security, <a class="indexterm" href="NetCommand.html#id371779">Share-ACL Migration</a></dt><dt>testjoin, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a></dt><dt>trustdom add, <a class="indexterm" href="NetCommand.html#id370687">Interdomain Trusts</a></dt><dt>trustdom establish, <a class="indexterm" href="NetCommand.html#id370687">Interdomain Trusts</a>, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></dt><dt>trustdom list, <a class="indexterm" href="NetCommand.html#id370687">Interdomain Trusts</a></dt><dt>trustdom revoke, <a class="indexterm" href="NetCommand.html#id370687">Interdomain Trusts</a></dt><dt>user add, <a class="indexterm" href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></dt><dt>user delete, <a class="indexterm" href="NetCommand.html#id369843">Deletion of User Accounts</a>, <a class="indexterm" href="NetCommand.html#id370349">Machine Trust Accounts</a></dt><dt>user info, <a class="indexterm" href="NetCommand.html#id369887">Managing User Accounts</a></dt><dt>user password, <a class="indexterm" href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></dt><dt>user rename, <a class="indexterm" href="NetCommand.html#id369887">Managing User Accounts</a></dt><dt>vampire, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="NetCommand.html#id371336">Share, Directory, and File Migration</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a></dt></dl></dd><dt>setlocalsid, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>time, <a class="indexterm" href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt><dd><dl><dt>set, <a class="indexterm" href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt><dt>system, <a class="indexterm" href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt><dt>zone, <a class="indexterm" href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></dt></dl></dd><dt>use, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a></dt></dl></dd><dt>NET, <a class="indexterm" href="PolicyMgmt.html#id423743">Samba PDC</a></dt><dt>net command, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>net getlocalsid, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>net groupmap, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>net rpc user add, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>net tool, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a></dt><dt>net use, <a class="indexterm" href="classicalprinting.html#id397538">Error Message: “Cannot connect under a different Name”</a></dt><dt>net use /home, <a class="indexterm" href="ProfileMgmt.html#id424269">Windows 9x/Me User Profiles</a></dt><dt>net use lpt1:, <a class="indexterm" href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a></dt><dt>net view, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>netatalk, <a class="indexterm" href="VFS.html#id416047">netatalk</a></dt><dt>NetAtalk, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>Netatalk, <a class="indexterm" href="Other-Clients.html#id451283">Macintosh Clients</a></dt><dt>NetBEUI, <a class="indexterm" href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a></dt><dt>NetBIOS, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a>, <a class="indexterm" href="samba-bdc.html#id338437">How Does a Workstation find its Domain Controller?</a>, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a>, <a class="indexterm" href="NetworkBrowsing.html#netdiscuss">Discussion</a>, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a>, <a class="indexterm" href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a>, <a class="indexterm" href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a>, <a class="indexterm" href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></dt><dd><dl><dt>brooadcast, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a></dt><dt>name, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt></dl></dd><dt>netbios alias, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>netbios aliases, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>NetBIOS broadcast, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>NetBIOS disabled, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a></dt><dt>NetBIOS flags, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>NetBIOS name, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>netbios name, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>NetBIOS name cache, <a class="indexterm" href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a>, <a class="indexterm" href="NetworkBrowsing.html#id356175">Flushing the Samba NetBIOS Name Cache</a></dt><dt>NetBIOS name length, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></dt><dt>NetBIOS name resolution, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>NetBIOS Name Server (see NBNS)</dt><dt>NetBIOS name type, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>NetBIOS names, <a class="indexterm" href="NetworkBrowsing.html#id354520">Name Resolution Order</a>, <a class="indexterm" href="integrate-ms-networks.html#id431397">/etc/nsswitch.conf</a></dt><dt>NetBIOS network interface, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></dt><dt>NetBIOS networking, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a></dt><dt>NetBIOS over TCP/IP, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a>, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a></dt><dt>NetBIOS over TCP/IP disabled, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>NetBIOS-less, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>NetBIOS-less SMB, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>NetBIOSless SMB over TCP/IP, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>NetBT, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></dt><dt>netlogon, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>NETLOGON, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a>, <a class="indexterm" href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a>, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></dt><dt>Netlogon, <a class="indexterm" href="samba-bdc.html#id337275">Essential Background Information</a></dt><dt>NetLogon service, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></dt><dt>netlogon share, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a></dt><dt>Netmon, <a class="indexterm" href="problems.html#id447261">The Windows Network Monitor</a></dt><dt>Netmon., <a class="indexterm" href="problems.html#id447316">Installing Network Monitor on an NT Workstation</a></dt><dt>netmon.exe, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>NetSAMLogon, <a class="indexterm" href="ProfileMgmt.html#id424080">Roaming Profiles</a></dt><dt>Netscape's Directory Server, <a class="indexterm" href="passdb.html#id362595">Supported LDAP Servers</a></dt><dt>NetServerEnum2, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>NetUserGetInfo, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="ProfileMgmt.html#id424080">Roaming Profiles</a></dt><dt>NetWare, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></dt><dt>NetWare Bindery, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>NetWare Core Protocol-based server, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>NetWkstaUserLogon, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>network</dt><dd><dl><dt>browsing, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dt>logon, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dd><dl><dt>service, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="samba-bdc.html#id337275">Essential Background Information</a></dt></dl></dd><dt>performance, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>wide-area, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt></dl></dd><dt>network access controls, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>network access profile, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>network administrator, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>network administrator's toolbox, <a class="indexterm" href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>network administrators, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>network analyzer, <a class="indexterm" href="problems.html#id446780">Diagnostics Tools</a></dt><dt>network bandwidth, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>Network Basic Extended User Interface (see NetBEUI)</dt><dt>Network Basic Input/Output System (see NetBIOS)</dt><dt>Network Bridge, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>Network Bridge Configuration, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>network browsing problems, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>network client, <a class="indexterm" href="ClientConfig.html#id345986">Features and Benefits</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>network clients, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>network configuration problems, <a class="indexterm" href="ClientConfig.html#id346080">TCP/IP Configuration</a></dt><dt>network difficulty, <a class="indexterm" href="ClientConfig.html#id345986">Features and Benefits</a></dt><dt>network environment, <a class="indexterm" href="AdvancedNetworkManagement.html#id421545">Remote Desktop Management</a></dt><dt>Network ID, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>network interface, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>network logon, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>network logon services, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>network membership, <a class="indexterm" href="ClientConfig.html#id346039">Technical Details</a></dt><dt>Network Monitor, <a class="indexterm" href="problems.html#id447261">The Windows Network Monitor</a></dt><dt>Network Monitor Tools and Agent, <a class="indexterm" href="problems.html#id447316">Installing Network Monitor on an NT Workstation</a></dt><dt>Network Neighborhood, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a>, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a>, <a class="indexterm" href="classicalprinting.html#id395482">Check Samba for Driver Recognition</a></dt><dt>network neighborhood, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>network policies, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></dt><dt>network security, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>network segment, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>Network settings, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>network sniffer, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>network storage, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>network traffic, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>networked workstation, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>networking advocates, <a class="indexterm" href="Backup.html#id433944">Discussion of Backup Solutions</a></dt><dt>networking environment, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>networking systems, <a class="indexterm" href="ClientConfig.html#id348714">Common Errors</a></dt><dt>networks access, <a class="indexterm" href="speed.html#id452749">Samba Performance is Very Slow</a></dt><dt>Networks Properties, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>new account, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>new parameters, <a class="indexterm" href="upgrading-to-3.0.html#id439392">New Parameters</a></dt><dt>newsgroup, <a class="indexterm" href="bugreport.html#id447883">Introduction</a></dt><dt>Nexus toolkit, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Nexus.exe, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></dt><dt>NFS, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a>, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a>, <a class="indexterm" href="SambaHA.html#id435168">Restrictive Constraints on Distributed File Systems</a>, <a class="indexterm" href="upgrading-to-3.0.html#id441231">IdMap LDAP Support</a></dt><dt>NFS clients, <a class="indexterm" href="locking.html#id383903">UNIX or NFS Client-Accessed Files</a></dt><dt>NIS, <a class="indexterm" href="ServerType.html#id331249">Share-Level Security</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>NIS database, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a></dt><dt>nmbd, <a class="indexterm" href="install.html#id325180">Starting Samba</a>, <a class="indexterm" href="install.html#id325571">Test Your Config File with testparm</a>, <a class="indexterm" href="FastStart.html#id327301">Secure Read-Write File and Print Server</a>, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a>, <a class="indexterm" href="NetworkBrowsing.html#id356175">Flushing the Samba NetBIOS Name Cache</a>, <a class="indexterm" href="idmapper.html#id374170">NT4-Style Domains (Includes Samba Domains)</a>, <a class="indexterm" href="winbind.html#id418852">Testing Things Out</a>, <a class="indexterm" href="winbind.html#id420170">Linux</a>, <a class="indexterm" href="winbind.html#id420337">Solaris</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a>, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a>, <a class="indexterm" href="speed.html#id452660">Corrupt tdb Files</a></dt><dt>nmblookup, <a class="indexterm" href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>No NetBIOS layer, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a></dt><dt>no network logon service, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a></dt><dt>no printcap file, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>nobody, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>nobody account, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>node-type, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>NoMachine, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>NoMachine.Com, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>non-authentication-based account management, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>non-authoritative, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>non-LDAP</dt><dd><dl><dt>backend, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a></dt></dl></dd><dt>non-member Windows client, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>non-PostScript, <a class="indexterm" href="CUPS-printing.html#id401523">CUPS Also Uses PPDs for Non-PostScript Printers</a>, <a class="indexterm" href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>non-PostScript printers, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>nonhierarchical, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>nontransitive, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>normal color, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>normal user, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>not domain member, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a></dt><dt>not domain members, <a class="indexterm" href="StandAloneServer.html">Standalone Servers</a></dt><dt>not part of domain, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></dt><dt>not stored anywhere, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>not transitive, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>Novell, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a>, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>Novell eDirectory server, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>NSS, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#id362365">ldapsam</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a>, <a class="indexterm" href="winbind.html#id417956">How Winbind Works</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="winbind.html#id421094">Conclusion</a></dt><dt>nsswitch.conf, <a class="indexterm" href="ServerType.html#id331249">Share-Level Security</a></dt><dt>nss_ldap, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>nss_winbind.so.1, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>NT domain, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>NT groups, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></dt><dt>NT migration scripts, <a class="indexterm" href="passdb.html#id362365">ldapsam</a></dt><dt>NT password, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a></dt><dt>NT Server Manager, <a class="indexterm" href="AccessControls.html#id380864">Windows NT4 Workstation/Server</a></dt><dt>NT-controlled domain, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></dt><dt>NT-encrypted password, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>NT-encrypted passwords, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></dt><dt>NT4, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>NT4 Domain, <a class="indexterm" href="idmapper.html#id372854">Standalone Samba Server</a></dt><dt>NT4 domain, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt><dt>NT4 domain members, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>NT4 style policy updates, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>NT4 User Manager for Domains, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>NT4-style, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>NT4-style domain, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>NT4-style domains, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>Nt4sp6ai.exe, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>NTConfig.POL, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id422977">Registry Spoiling</a>, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423630">Samba Editreg Toolset</a>, <a class="indexterm" href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a>, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>ntconfig.pol, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>ntdrivers.tdb, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>ntforms.tdb, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>NTFS, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>NTLMv2, <a class="indexterm" href="securing-samba.html#id386164">NTLMv2 Security</a></dt><dt>ntlm_auth, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>ntprinters.tdb, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>NTUser.DAT, <a class="indexterm" href="PolicyMgmt.html#id423630">Samba Editreg Toolset</a>, <a class="indexterm" href="ProfileMgmt.html#id426418">Mandatory Profiles</a>, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>NTuser.DAT, <a class="indexterm" href="ProfileMgmt.html#id425356">Windows NT4 Workstation</a>, <a class="indexterm" href="ProfileMgmt.html#id425996">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a>, <a class="indexterm" href="NT4Migration.html#id442200">Profile Migration/Creation</a></dt><dt>NTuser.MAN, <a class="indexterm" href="ProfileMgmt.html#id425356">Windows NT4 Workstation</a></dt><dt>NTUser.MAN, <a class="indexterm" href="ProfileMgmt.html#id426418">Mandatory Profiles</a></dt><dt>NT_STATUS_LOGON_FAILURE, <a class="indexterm" href="upgrading-to-3.0.html#id440430">Changes in Behavior</a></dt><dt>NT_STATUS_UNSUCCESSFUL, <a class="indexterm" href="classicalprinting.html#id395292">Running rpcclient with adddriver</a></dt><dt>null shell, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>NX, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt></dl></div><div class="indexdiv"><h3>O</h3><dl><dt>object class, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>object class declaration, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>object module dependencies, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>ObjectClass, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>ObjectClasses, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>obtuse complexity, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>office server, <a class="indexterm" href="FastStart.html#id327301">Secure Read-Write File and Print Server</a></dt><dt>OID, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>old sambaAccount, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>Omni, <a class="indexterm" href="CUPS-printing.html#id411332">Driver Development Outside</a></dt><dt>on the fly, <a class="indexterm" href="domain-member.html#id341570">Windows NT4 Client</a></dt><dt>on-the-fly, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>on-the-fly logon scripts, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>on-the-fly policy files, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>one direction, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>one domain, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>one-way trust, <a class="indexterm" href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></dt><dt>only one WINS server, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></dt><dt>OpenGFS, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>OpenLDAP, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a>, <a class="indexterm" href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id362595">Supported LDAP Servers</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>OpenLDAP backend, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></dt><dt>OpenSSL, <a class="indexterm" href="SWAT.html#id443982">Securing SWAT through SSL</a>, <a class="indexterm" href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></dt><dt>operating costs, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>operating system search path, <a class="indexterm" href="SWAT.html#id443466">Locating the SWAT File</a></dt><dt>oplock, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>oplock break, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a>, <a class="indexterm" href="locking.html#id384068">Beware of Force User</a></dt><dt>oplock handling, <a class="indexterm" href="SambaHA.html#id435168">Restrictive Constraints on Distributed File Systems</a></dt><dt>oplock mechanism, <a class="indexterm" href="locking.html#id384149">Advanced Samba Oplocks Parameters</a></dt><dt>oplock messages, <a class="indexterm" href="SambaHA.html#id435366">Required Modifications to Samba</a></dt><dt>oplock parameters, <a class="indexterm" href="locking.html#id384149">Advanced Samba Oplocks Parameters</a></dt><dt>oplocks, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>oplocks disabled, <a class="indexterm" href="locking.html#id383974">Multiuser Databases</a></dt><dt>oplocks management, <a class="indexterm" href="locking.html#id384012">PDM Data Shares</a></dt><dt>opportunistic locking, <a class="indexterm" href="locking.html#id383088">Features and Benefits</a>, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>Opportunistic locking, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>optional, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>ordinary connection, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></dt><dt>Organization for the Advancement of Structured Information Standards (see OASIS)</dt><dt>organizational directory, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>organizational unit, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a> (see OU)</dt><dt>os level, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>OSS/Free Software, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>other, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>output duplexing, <a class="indexterm" href="CUPS-printing.html#id402708">pstops</a></dt><dt>outside threat, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a></dt><dt>own home directory, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></dt><dt>ownership, <a class="indexterm" href="AccessControls.html#id381286">Viewing File Ownership</a></dt><dt>ownership cost, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>ownership rights, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt></dl></div><div class="indexdiv"><h3>P</h3><dl><dt>p-node, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>package, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>packages, <a class="indexterm" href="install.html#id324258">Obtaining and Installing Samba</a></dt><dt>packet sniffer, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>packet trace, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>PADL, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></dt><dt>PADL Software, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>page description languages (see PDL)</dt><dt>pager program, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>page_log, <a class="indexterm" href="CUPS-printing.html#id412266">The page_log File Syntax</a></dt><dt>paid-for support, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>PAM, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id361898">Plaintext</a>, <a class="indexterm" href="passdb.html#id362365">ldapsam</a>, <a class="indexterm" href="winbind.html#id417956">How Winbind Works</a>, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a>, <a class="indexterm" href="winbind.html#id418709">Requirements</a>, <a class="indexterm" href="winbind.html#id418852">Testing Things Out</a>, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="winbind.html#id421094">Conclusion</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="pam.html#id428896">Technical Discussion</a></dt><dt>PAM authentication module, <a class="indexterm" href="pam.html#id428947">PAM Configuration Syntax</a></dt><dt>PAM configuration, <a class="indexterm" href="winbind.html#id418709">Requirements</a></dt><dt>PAM management, <a class="indexterm" href="pam.html">PAM-Based Distributed Authentication</a></dt><dt>PAM module, <a class="indexterm" href="winbind.html#id419308">NSS Winbind on AIX</a></dt><dt>PAM modules, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>PAM-capable, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam-devel, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a></dt><dt>PAM-enabled, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a>, <a class="indexterm" href="pam.html">PAM-Based Distributed Authentication</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>PAM-specific tokens, <a class="indexterm" href="pam.html#id428947">PAM Configuration Syntax</a></dt><dt>pam_krb5.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_ldap, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>pam_ldap.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_mkhomedir, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>pam_ncp_auth.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_pwdb.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_securetty.so, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>pam_smbpass.so, <a class="indexterm" href="pam.html">PAM-Based Distributed Authentication</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_smbpasswd.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_smb_auth.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_unix.so, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_unix2.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_userdb.so, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>pam_winbind, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>pam_winbind.so, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>parameters, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a></dt><dt>paranoid, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>passdb, <a class="indexterm" href="samba-bdc.html#id339540">Machine Accounts Keep Expiring</a></dt><dt>passdb backend, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a>, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a>, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a class="indexterm" href="passdb.html#id360908">Deleting Accounts</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>passdb backends, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>passed across the network, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>passwd, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>password, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a>, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dd><dl><dt>plaintext, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt></dl></dd><dt>password aging, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>password assigned, <a class="indexterm" href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></dt><dt>password backend, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a></dt><dt>password backends, <a class="indexterm" href="passdb.html">Account Information Databases</a></dt><dt>password change facility, <a class="indexterm" href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>password database, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>password encryption, <a class="indexterm" href="passdb.html#id361898">Plaintext</a></dt><dt>password expiration, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>password expired, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a></dt><dt>password history, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>password management, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a></dt><dt>password prompt, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>password scheme, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>password server, <a class="indexterm" href="ServerType.html#id331998">Server Security (User Level Security)</a>, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a></dt><dt>password uniqueness, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>passwords, <a class="indexterm" href="winbind.html#id417589">Introduction</a></dt><dt>patch, <a class="indexterm" href="bugreport.html#id448614">Patches</a></dt><dt>path specified, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>pauses, <a class="indexterm" href="speed.html#id452749">Samba Performance is Very Slow</a></dt><dt>PBM, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>PCL, <a class="indexterm" href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a>, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a>, <a class="indexterm" href="CUPS-printing.html#id405456">Printing with Interface Scripts</a>, <a class="indexterm" href="CUPS-printing.html#id405672">Driver Execution on the Server</a>, <a class="indexterm" href="CUPS-printing.html#id406034">Network PostScript RIP</a></dt><dt>pdbedit, <a class="indexterm" href="FastStart.html#id328866">Example: Engineering Office</a>, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a>, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a class="indexterm" href="passdb.html#id360511">User Account Management</a>, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a>, <a class="indexterm" href="passdb.html#id360831">Adding User Accounts</a>, <a class="indexterm" href="passdb.html#id360908">Deleting Accounts</a>, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a>, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a class="indexterm" href="passdb.html#id361730">Account Import/Export</a>, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a>, <a class="indexterm" href="PolicyMgmt.html#id423743">Samba PDC</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a>, <a class="indexterm" href="NT4Migration.html#id442286">Steps in Migration Process</a>, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>pdb_ldap, <a class="indexterm" href="samba-bdc.html#id339736">Can I Do This All with LDAP?</a></dt><dt>PDC, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id337727">Example PDC Configuration</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a>, <a class="indexterm" href="passdb.html#id364001">LDAP Special Attributes for sambaSamAccounts</a>, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a>, <a class="indexterm" href="CUPS-printing.html#id408132">cupsaddsmb with a Samba PDC</a>, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a>, <a class="indexterm" href="winbind.html#id418004">Microsoft Remote Procedure Calls</a>, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a>, <a class="indexterm" href="winbind.html#id418546">Result Caching</a>, <a class="indexterm" href="winbind.html#id418602">Introduction</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a>, <a class="indexterm" href="problems.html#id447602">Getting Mailing List Help</a>, <a class="indexterm" href="speed.html#id452660">Corrupt tdb Files</a></dt><dt>PDF, <a class="indexterm" href="CUPS-printing.html#id399310">Simple smb.conf Settings for CUPS</a>, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a>, <a class="indexterm" href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a>, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>pdf, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></dt><dt>PDF distilling, <a class="indexterm" href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a></dt><dt>PDF filter, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>pdftops, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a>, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>pdftosocket, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>PDL, <a class="indexterm" href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a class="indexterm" href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a class="indexterm" href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a></dt><dt>PDM, <a class="indexterm" href="locking.html#id384012">PDM Data Shares</a></dt><dt>peer domain, <a class="indexterm" href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></dt><dt>Peer node, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>per-share access control, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a></dt><dt>performance, <a class="indexterm" href="largefile.html">Handling Large Directories</a>, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>performance advantage, <a class="indexterm" href="locking.html#id383088">Features and Benefits</a></dt><dt>performance degradation, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>performance enhancement, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>performance improvement, <a class="indexterm" href="locking.html#id383934">Slow and/or Unreliable Networks</a></dt><dt>performance-based, <a class="indexterm" href="passdb.html#id362220">tdbsam</a></dt><dt>performed as root, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>perimeter firewall, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>permanent changes, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>Permanent name, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>permissions, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a>, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dd><dl><dt>file/directory ACLs, <a class="indexterm" href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></dt><dt>share, <a class="indexterm" href="AccessControls.html#id379717">Share Definition Access Controls</a></dt><dt>share ACLs, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a></dt><dt>UNIX file and directory, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt></dl></dd><dt>Permissions, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a></dt><dt>permissions and controls, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt><dt>PGP, <a class="indexterm" href="compiling.html#id449593">Verifying Samba's PGP Signature</a></dt><dt>phasing out NetBIOS, <a class="indexterm" href="NetworkBrowsing.html#netdiscuss">Discussion</a></dt><dt>Photo-CD, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>physical locations, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>physical network transport layer, <a class="indexterm" href="integrate-ms-networks.html#id431155">/etc/hosts</a></dt><dt>PID, <a class="indexterm" href="bugreport.html#id448498">Attaching to a Running Process</a></dt><dt>pid directory, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>ping, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>pipe device, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>PJL, <a class="indexterm" href="CUPS-printing.html#id406034">Network PostScript RIP</a>, <a class="indexterm" href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a>, <a class="indexterm" href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>PJL-header, <a class="indexterm" href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>plague network users, <a class="indexterm" href="ClientConfig.html#id346080">TCP/IP Configuration</a></dt><dt>plain-text</dt><dd><dl><dt>passwords, <a class="indexterm" href="ServerType.html#id332239">Password Checking</a></dt></dl></dd><dt>plaintext, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></dt><dt>plaintext authentication, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></dt><dt>plaintext password, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a></dt><dt>plaintext passwords, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>platforms, <a class="indexterm" href="Portability.html">Portability</a></dt><dt>PLP, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>Pluggable Authentication Modules (see PAM)</dt><dt>PNG, <a class="indexterm" href="CUPS-printing.html#id401205">Ghostscript: The Software RIP for Non-PostScript Printers</a>, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>PNM, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>point 'n' print, <a class="indexterm" href="CUPS-printing.html#id400166">Installation of Windows Client Drivers</a>, <a class="indexterm" href="CUPS-printing.html#id407647">Run cupsaddsmb (Quiet Mode)</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></dt><dt>Point'n'Print, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a class="indexterm" href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a>, <a class="indexterm" href="classicalprinting.html#id395182">smbclient to Confirm Driver Installation</a></dt><dt>point'n'print, <a class="indexterm" href="CUPS-printing.html#id400430">Driver Upload Methods</a>, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a>, <a class="indexterm" href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a></dt><dt>Poledit, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a></dt><dt>poledit.exe, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a>, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a></dt><dt>Policies, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>policies, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>policy editor, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></dt><dt>Policy Editor, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>policy file , <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>policy files, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>policy settings, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>port 135, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></dt><dt>Port 135/TCP, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 137, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>Port 137/UDP, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 138, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></dt><dt>Port 138/UDP, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 139, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></dt><dt>Port 139/TCP, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>port 445, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></dt><dt>Port 445/TCP, <a class="indexterm" href="securing-samba.html#firewallports">Using a Firewall</a></dt><dt>ports, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a>, <a class="indexterm" href="problems.html#id447122">Ethereal</a></dt><dt>POSIX, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a>, <a class="indexterm" href="NetCommand.html#id368450">Adding or Creating a New Group</a></dt><dt>POSIX account, <a class="indexterm" href="passdb.html#id360511">User Account Management</a>, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a></dt><dt>POSIX ACLs, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a>, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>POSIX ACLS, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>POSIX identity, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>POSIX locks, <a class="indexterm" href="SambaHA.html#id435235">Server Pool Communications</a></dt><dt>POSIX semantics, <a class="indexterm" href="SambaHA.html#id435235">Server Pool Communications</a></dt><dt>POSIX user accounts, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>posixAccount, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>posixGroup, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a>, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a></dt><dt>PostScript, <a class="indexterm" href="CUPS-printing.html#id399310">Simple smb.conf Settings for CUPS</a>, <a class="indexterm" href="CUPS-printing.html#id400541">Advanced Intelligent Printing with PostScript Driver Download</a>, <a class="indexterm" href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a>, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a>, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a>, <a class="indexterm" href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a class="indexterm" href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a>, <a class="indexterm" href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a>, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id402708">pstops</a>, <a class="indexterm" href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a>, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a>, <a class="indexterm" href="CUPS-printing.html#id405672">Driver Execution on the Server</a>, <a class="indexterm" href="CUPS-printing.html#id406034">Network PostScript RIP</a>, <a class="indexterm" href="CUPS-printing.html#id406267">CUPS: A “Magical Stone”?</a>, <a class="indexterm" href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a>, <a class="indexterm" href="CUPS-printing.html#id406765">CUPS “PostScript Driver for Windows NT/200x/XP”</a></dt><dd><dl><dt>(see also Ghostscript)</dt><dt>RIP, <a class="indexterm" href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt></dl></dd><dt>PostScript driver, <a class="indexterm" href="classicalprinting.html#id394988">Installing Driver Files into [print$]</a></dt><dt>PostScript interpreter, <a class="indexterm" href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt>PostScript Printer Description (see PPD)</dt><dt>PostScript printers, <a class="indexterm" href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></dt><dt>potential master browsers, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>potential printer, <a class="indexterm" href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></dt><dt>Power Users, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>powerful, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>PPD, <a class="indexterm" href="classicalprinting.html#id394988">Installing Driver Files into [print$]</a>, <a class="indexterm" href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a class="indexterm" href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a>, <a class="indexterm" href="CUPS-printing.html#id401523">CUPS Also Uses PPDs for Non-PostScript Printers</a>, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a>, <a class="indexterm" href="CUPS-printing.html#id404006">“Raw” Printing</a>, <a class="indexterm" href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a>, <a class="indexterm" href="CUPS-printing.html#id406112">PPDs for Non-PS Printers on UNIX</a>, <a class="indexterm" href="CUPS-printing.html#id406149">PPDs for Non-PS Printers on Windows</a>, <a class="indexterm" href="CUPS-printing.html#id406267">CUPS: A “Magical Stone”?</a>, <a class="indexterm" href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a>, <a class="indexterm" href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a>, <a class="indexterm" href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></dt><dd><dl><dt>CUPS (see CUPS-PPD)</dt></dl></dd><dt>PPD-aware, <a class="indexterm" href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt>PPDs, <a class="indexterm" href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a>, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a>, <a class="indexterm" href="CUPS-printing.html#id411224">The Grand Unification Achieved</a></dt><dt>PPP, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>precedence, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt>preferred master, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></dt><dt>prefilter, <a class="indexterm" href="CUPS-printing.html#id403119">imagetops and imagetoraster</a></dt><dt>prefilters, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a></dt><dt>primary domain controller, <a class="indexterm" href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a></dt><dt>primary group, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>Primary Logon, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>Primary WINS Server, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></dt><dt>print, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a></dt><dd><dl><dt>queue, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt><dt>spooler, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt></dl></dd><dt>print accounting, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>print command, <a class="indexterm" href="classicalprinting.html#id392052">Print Commands</a></dt><dt>print commands, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>print configuration, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a>, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a></dt><dt>print environment, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>print filtering, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>print job, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>print jobs, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>print processing, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>print queue, <a class="indexterm" href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a>, <a class="indexterm" href="classicalprinting.html#id395182">smbclient to Confirm Driver Installation</a>, <a class="indexterm" href="classicalprinting.html#id395688">Specific Driver Name Flexibility</a>, <a class="indexterm" href="CUPS-printing.html#id403411">CUPS Backends</a></dt><dt>print quota, <a class="indexterm" href="CUPS-printing.html#id400541">Advanced Intelligent Printing with PostScript Driver Download</a></dt><dt>print server, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>print service, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>print spooling, <a class="indexterm" href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></dt><dt>print spooling system, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a></dt><dt>print statistics, <a class="indexterm" href="CUPS-printing.html#id400541">Advanced Intelligent Printing with PostScript Driver Download</a></dt><dt>print subsystem, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a>, <a class="indexterm" href="classicalprinting.html#id392052">Print Commands</a></dt><dt>print test page, <a class="indexterm" href="classicalprinting.html#id395936">First Client Driver Installation</a></dt><dt>printcap, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a>, <a class="indexterm" href="classicalprinting.html#ptrsect">The [printers] Section</a></dt><dt>Printcap, <a class="indexterm" href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a></dt><dt>printcap name, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>PrintcapFormat, <a class="indexterm" href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a></dt><dt>printer attributes publishing, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>printer default permissions, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>printer driver, <a class="indexterm" href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a>, <a class="indexterm" href="classicalprinting.html#id393519">Creating the [print$] Share</a>, <a class="indexterm" href="CUPS-printing.html#id399310">Simple smb.conf Settings for CUPS</a></dt><dt>printer driver data, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>printer driver file, <a class="indexterm" href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a></dt><dt>printer driver files, <a class="indexterm" href="classicalprinting.html#id395182">smbclient to Confirm Driver Installation</a></dt><dt>printer drivers, <a class="indexterm" href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a>, <a class="indexterm" href="CUPS-printing.html#id411224">The Grand Unification Achieved</a></dt><dt>printer icon, <a class="indexterm" href="classicalprinting.html#id395482">Check Samba for Driver Recognition</a></dt><dt>printer management, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>printer management system, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a></dt><dt>printer migration, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>printer monitor, <a class="indexterm" href="speed.html#id452749">Samba Performance is Very Slow</a></dt><dt>printer objects, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>Printer Pooling, <a class="indexterm" href="classicalprinting.html#id397860">Samba and Printer Ports</a></dt><dt>printer queue, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>printer share, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>printer shares , <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>printer$ share, <a class="indexterm" href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a></dt><dt>printers, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a>, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a></dt><dt>Printers, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>printers admin, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>Printers and Faxes, <a class="indexterm" href="classicalprinting.html#id395482">Check Samba for Driver Recognition</a></dt><dt>printers available, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a></dt><dt>printers section, <a class="indexterm" href="classicalprinting.html#ptrsect">The [printers] Section</a></dt><dt>printing, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>printing behavior, <a class="indexterm" href="classicalprinting.html#id389393">Printing-Related Configuration Parameters</a></dt><dt>printing calls, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>printing now, <a class="indexterm" href="speed.html#id452749">Samba Performance is Very Slow</a></dt><dt>printing support, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a>, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>printing system, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>printing systems, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>printing-related settings, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a></dt><dt>printing.tdb, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a>, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>PrintPro (see ESP Print Pro)</dt><dt>private dir, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>private groups, <a class="indexterm" href="groupmapping.html#id365690">Warning: User Private Group Problems</a></dt><dt>private key, <a class="indexterm" href="SWAT.html#id443982">Securing SWAT through SSL</a></dt><dt>private network, <a class="indexterm" href="securing-samba.html#id385260">Introduction</a></dt><dt>private networks, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a></dt><dt>private/MACHINE.SID, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></dt><dt>private/secrets.tdb, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></dt><dt>privilege, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>privilege management, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a>, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>privilege model, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a></dt><dt>privilege-granting applications, <a class="indexterm" href="pam.html#id428896">Technical Discussion</a></dt><dt>privileged accounts, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>privileges, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>privileges assigned, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>problem report, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>problem resolution, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>problematic print, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>Process data management, <a class="indexterm" href="locking.html#id384012">PDM Data Shares</a></dt><dt>professional support, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>profile, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a></dt><dt>profile access rights, <a class="indexterm" href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></dt><dt>profile contents, <a class="indexterm" href="ProfileMgmt.html#id425996">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></dt><dt>profile directory, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>profile migration tool, <a class="indexterm" href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></dt><dt>profile path, <a class="indexterm" href="samba-bdc.html#id337727">Example PDC Configuration</a>, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a>, <a class="indexterm" href="ProfileMgmt.html#id425356">Windows NT4 Workstation</a></dt><dt>profile sharing, <a class="indexterm" href="ProfileMgmt.html#id425996">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></dt><dt>Profile Type, <a class="indexterm" href="ProfileMgmt.html#id424492">Disabling Roaming Profile Support</a></dt><dt>ProfilePath, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>profiles, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>Profiles, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></dt><dt>project, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>promiscuous mode, <a class="indexterm" href="problems.html#id447261">The Windows Network Monitor</a></dt><dt>promote, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a></dt><dt>promoted, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>propagate, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a></dt><dt>Properties, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a>, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>protect directories, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>protect files, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>protection against attackers, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></dt><dt>protocol stack settings, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>provided services, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>provisioned, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>pstops, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id402708">pstops</a>, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a>, <a class="indexterm" href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>pstoraster, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a>, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a>, <a class="indexterm" href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>publish printers, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>publishing printers, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a></dt><dt>PulseAudio, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>punching, <a class="indexterm" href="CUPS-printing.html#id402708">pstops</a></dt><dt>purchase support, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>put, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>pvcreate, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt></dl></div><div class="indexdiv"><h3>Q</h3><dl><dt>QNX, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>qualified problem, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>queue control, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>quota controls, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt></dl></div><div class="indexdiv"><h3>R</h3><dl><dt>RAID, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>random machine account password, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>range, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a></dt><dt>range of hosts, <a class="indexterm" href="securing-samba.html#id385501">Using Host-Based Protection</a></dt><dt>RAP, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dt>raster, <a class="indexterm" href="CUPS-printing.html#id402529">Prefilters</a>, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>raster driver, <a class="indexterm" href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></dt><dt>raster drivers, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a></dt><dt>raster image processor (see RIP)</dt><dt>raster images, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>rasterization, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a>, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>rastertoalps, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a></dt><dt>rastertobj, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a></dt><dt>rastertoepson, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a>, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>rastertoescp, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a></dt><dt>rastertohp, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a></dt><dt>rastertopcl, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a></dt><dt>rastertoprinter, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a></dt><dt>rastertosomething, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>rastertoturboprint, <a class="indexterm" href="CUPS-printing.html#id403199">rasterto [printers specific]</a></dt><dt>raw mode, <a class="indexterm" href="CUPS-printing.html#id404106">application/octet-stream Printing</a></dt><dt>raw print, <a class="indexterm" href="CUPS-printing.html#id408209">cupsaddsmb Flowchart</a></dt><dt>raw printers, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a></dt><dt>raw printing, <a class="indexterm" href="FastStart.html#id326962">Anonymous Print Server</a>, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a>, <a class="indexterm" href="CUPS-printing.html#cups-raw">Explicitly Enable “raw” Printing for application/octet-stream</a></dt><dt>raw SMB, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dt>raw SMB over TCP/IP, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a></dt><dt>rawprinter, <a class="indexterm" href="CUPS-printing.html#id404006">“Raw” Printing</a></dt><dt>rcp, <a class="indexterm" href="Backup.html#id434193">Rsync</a></dt><dt>rdesktop, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>rdesktop/RDP, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>read, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>read directory into memory, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>read only, <a class="indexterm" href="VFS.html#fakeperms">fake_perms</a></dt><dd><dl><dt>server, <a class="indexterm" href="FastStart.html#anon-ro">Anonymous Read-Only Document Server</a></dt></dl></dd><dt>Read-ahead, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>read-only, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a>, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>read-only access, <a class="indexterm" href="idmapper.html#id374021">Backup Domain Controller</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>read-only files, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a></dt><dt>read-write access, <a class="indexterm" href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a></dt><dt>realm, <a class="indexterm" href="ServerType.html#id331866">ADS Security Mode (User-Level Security)</a>, <a class="indexterm" href="samba-bdc.html#id338539">NetBIOS Over TCP/IP Disabled</a>, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></dt><dt>rebooted, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>rebooting server, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>recompiling, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>reconfiguration, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>record locking, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>recycle, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle bin, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>recycle directory, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:exclude, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:exclude_dir, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:keeptree, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:maxsize, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:noversions, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:repository, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:subdir_mode, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:touch, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>recycle:versions, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>Red Hat Cluster Manager, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>Red Hat Linux, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a>, <a class="indexterm" href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a>, <a class="indexterm" href="groupmapping.html#id365690">Warning: User Private Group Problems</a></dt><dt>redirect, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a></dt><dt>redirection, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>redirector, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>redundancy, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>reference documents, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>refusing connection, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a></dt><dt>regedit.exe, <a class="indexterm" href="ProfileMgmt.html#id426639">MS Windows 9x/Me</a></dt><dt>regedt32, <a class="indexterm" href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a></dt><dt>regedt32.exe, <a class="indexterm" href="PolicyMgmt.html#id423706">Windows NT4/200x</a></dt><dt>register driver files, <a class="indexterm" href="classicalprinting.html#id395292">Running rpcclient with adddriver</a></dt><dt>register NetBIOS names, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>registered, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a>, <a class="indexterm" href="classicalprinting.html#id395482">Check Samba for Driver Recognition</a></dt><dt>registers, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a></dt><dt>Registory, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>registry, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a>, <a class="indexterm" href="locking.html#id383088">Features and Benefits</a>, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a>, <a class="indexterm" href="ProfileMgmt.html#id426639">MS Windows 9x/Me</a></dt><dt>registry change, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>registry keys, <a class="indexterm" href="ProfileMgmt.html#id426613">Default Profile for Windows Users</a></dt><dt>registry settings, <a class="indexterm" href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></dt><dt>regulations, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>rejoin, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>relationship password, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>relative identifier, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a> (see RID)</dt><dt>Relative Identifier (see RID)</dt><dt>Relative Identifiers (see RID)</dt><dt>reliability, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>Remote Access Dial-In User Service (see RADIUS)</dt><dt>remote announce, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>remote browse sync, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>remote desktop capabilities, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>remote desktop management, <a class="indexterm" href="AdvancedNetworkManagement.html#id421545">Remote Desktop Management</a></dt><dt>remote domain, <a class="indexterm" href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a>, <a class="indexterm" href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>remote login, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>remote management, <a class="indexterm" href="NetCommand.html">Remote and Local Management: The Net Command</a>, <a class="indexterm" href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></dt><dt>Remote Procedure Call (see RPC)</dt><dt>Remote Procedure Call System Service (see RPCSS)</dt><dt>remote profile, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>remote segment, <a class="indexterm" href="NetworkBrowsing.html#id353486">Use of the Remote Browse Sync Parameter</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>Remote X, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>Remote X protocol, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>remote-update protocol, <a class="indexterm" href="Backup.html#id434193">Rsync</a></dt><dt>rename, <a class="indexterm" href="AccessControls.html#id379000">Managing Directories</a></dt><dt>render, <a class="indexterm" href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a></dt><dt>rendering, <a class="indexterm" href="CUPS-printing.html#id404631">cupsomatic/foomatic-rip Versus Native CUPS Printing</a></dt><dt>repeated intervals, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>replicate, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>replicated, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id338300">Active Directory Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></dt><dt>replicated SYSVOL, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></dt><dt>replication, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt><dd><dl><dt>browse lists, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>SAM, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a></dt><dt>WINS, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id354117">WINS Replication</a></dt></dl></dd><dt>replication protocols, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></dt><dt>repository, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>requesting payment, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>required, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>requisite, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>research, <a class="indexterm" href="Backup.html#id433944">Discussion of Backup Solutions</a></dt><dt>resizing, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>resolution, <a class="indexterm" href="CUPS-printing.html#id403719">The Role of cupsomatic/foomatic</a></dt><dt>resolution of NetBIOS names, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a></dt><dt>resolve NetBIOS names, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></dt><dt>resolver functions, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>resource failover, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>resource kit, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a>, <a class="indexterm" href="ProfileMgmt.html#profilemigrn">Windows NT4 Profile Management Tools</a></dt><dt>resource-based exclusion, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>response, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a></dt><dt>restore, <a class="indexterm" href="tdb.html#id448693">Features and Benefits</a></dt><dt>restrict DNS, <a class="indexterm" href="NetworkBrowsing.html#id354520">Name Resolution Order</a></dt><dt>reviewers, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>revoke privileges, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>RFC 1001, <a class="indexterm" href="DNSDHCP.html#id454326">Example Configuration</a></dt><dt>RFC 1002, <a class="indexterm" href="DNSDHCP.html#id454326">Example Configuration</a></dt><dt>RFC 1179, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>RFC 2307, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt><dt>RFC 2307., <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a></dt><dt>RFC 2830, <a class="indexterm" href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>rfc2307bis, <a class="indexterm" href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>RFC2830, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt><dt>RFCs, <a class="indexterm" href="problems.html">Analyzing and Solving Samba Problems</a></dt><dt>rich database backend, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>rich directory backend, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>RID, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a>, <a class="indexterm" href="winbind.html#id418479">User and Group ID Allocation</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>RID 500, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>RID base, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>right to join domain, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>rights, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="domain-member.html#id343732">Possible Errors</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a></dt><dt>rights and privilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a></dt><dt>rights and privileges, <a class="indexterm" href="groupmapping.html#id366270">Important Administrative Information</a>, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>rights assigned, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>RIP, <a class="indexterm" href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></dt><dt>rlogind, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>Roaming Profile, <a class="indexterm" href="VFS.html#fakeperms">fake_perms</a></dt><dt>roaming profiles, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="ProfileMgmt.html#id424037">Features and Benefits</a>, <a class="indexterm" href="ProfileMgmt.html#id424492">Disabling Roaming Profile Support</a>, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>rogue machine, <a class="indexterm" href="NetworkBrowsing.html#id356175">Flushing the Samba NetBIOS Name Cache</a></dt><dt>rogue user, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>root, <a class="indexterm" href="domain-member.html#id341398">Windows 200x/XP Professional Client</a>, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>root account, <a class="indexterm" href="rights.html">User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>root user, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>rotate, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>RPC, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a>, <a class="indexterm" href="ProfileMgmt.html#id424080">Roaming Profiles</a></dt><dt>RPC calls, <a class="indexterm" href="winbind.html#id421094">Conclusion</a>, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a></dt><dt>RPC modules, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>rpc.lockd, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>rpcclient, <a class="indexterm" href="NetCommand.html">Remote and Local Management: The Net Command</a>, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a>, <a class="indexterm" href="classicalprinting.html#id395688">Specific Driver Name Flexibility</a>, <a class="indexterm" href="CUPS-printing.html#id410123">Troubleshooting Revisited</a>, <a class="indexterm" href="PolicyMgmt.html#id423743">Samba PDC</a></dt><dd><dl><dt>adddriver, <a class="indexterm" href="CUPS-printing.html#id407782">Run cupsaddsmb with Verbose Output</a>, <a class="indexterm" href="CUPS-printing.html#id407885">Understanding cupsaddsmb</a>, <a class="indexterm" href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a>, <a class="indexterm" href="CUPS-printing.html#id408822">Understanding the rpcclient man Page</a>, <a class="indexterm" href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></dt><dt>enumdrivers, <a class="indexterm" href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></dt><dt>enumports, <a class="indexterm" href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a></dt><dt>enumprinters, <a class="indexterm" href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a>, <a class="indexterm" href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a>, <a class="indexterm" href="CUPS-printing.html#id410123">Troubleshooting Revisited</a></dt><dt>getdriver, <a class="indexterm" href="CUPS-printing.html#id408914">Producing an Example by Querying a Windows Box</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></dt><dt>getprinter, <a class="indexterm" href="CUPS-printing.html#id408914">Producing an Example by Querying a Windows Box</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a>, <a class="indexterm" href="CUPS-printing.html#id410123">Troubleshooting Revisited</a></dt><dt>setdriver, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a>, <a class="indexterm" href="CUPS-printing.html#id407782">Run cupsaddsmb with Verbose Output</a>, <a class="indexterm" href="CUPS-printing.html#id407885">Understanding cupsaddsmb</a>, <a class="indexterm" href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a>, <a class="indexterm" href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></dt></dl></dd><dt>rsh, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>rsync, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="Backup.html#id434031">BackupPC</a>, <a class="indexterm" href="Backup.html#id434193">Rsync</a>, <a class="indexterm" href="compiling.html#id449526">Accessing the Samba Sources via rsync and ftp</a></dt><dt>rsyncd, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>runas, <a class="indexterm" href="classicalprinting.html#id396553">Always Make First Client Connection as root or “printer admin”</a></dt><dt>rundll32, <a class="indexterm" href="classicalprinting.html#id396442">Additional Client Driver Installation</a>, <a class="indexterm" href="classicalprinting.html#id396728">Setting Default Print Options for Client Drivers</a>, <a class="indexterm" href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id422250">Adding Printers without User Intervention</a></dt></dl></div><div class="indexdiv"><h3>S</h3><dl><dt>SAM, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id339540">Machine Accounts Keep Expiring</a>, <a class="indexterm" href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a>, <a class="indexterm" href="winbind.html#id418546">Result Caching</a></dt><dd><dl><dt>delta file, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>replication, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt></dl></dd><dt>SAM backend, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dd><dl><dt>LDAP, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a></dt><dt>ldapsam, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id362365">ldapsam</a></dt><dt>ldapsam_compat, <a class="indexterm" href="passdb.html#id356961">Features and Benefits</a></dt><dt>non-LDAP, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a></dt><dt>smbpasswd, <a class="indexterm" href="passdb.html#id356961">Features and Benefits</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>tdbsam, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a></dt></dl></dd><dt>Samba 1.9.17, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></dt><dt>Samba account, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>Samba administrator, <a class="indexterm" href="winbind.html#id418602">Introduction</a></dt><dt>Samba backend database, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>Samba daemons, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>Samba differences, <a class="indexterm" href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></dt><dt>Samba mailing lists, <a class="indexterm" href="Backup.html#id433904">Features and Benefits</a></dt><dt>Samba private directory, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>Samba SAM, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>Samba SAM account, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>Samba SAM account flags, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a></dt><dt>Samba schema, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>Samba security, <a class="indexterm" href="securing-samba.html#id385353">Features and Benefits</a></dt><dt>Samba-2.2.x LDAP schema, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></dt><dt>Samba-3-compatible LDAP backend, <a class="indexterm" href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></dt><dt>Samba-PDC-LDAP-HOWTO, <a class="indexterm" href="passdb.html#id362365">ldapsam</a></dt><dt>samba-to-samba trusts, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>samba-vscan, <a class="indexterm" href="VFS.html#id417002">vscan</a></dt><dt>samba.schema, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>sambaDomain, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>sambaGroupMapping, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>sambaHomeDrive, <a class="indexterm" href="passdb.html#id364001">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>sambaHomePath, <a class="indexterm" href="passdb.html#id364001">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>sambaIdmapEntry, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>sambaLogonScript, <a class="indexterm" href="passdb.html#id364001">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>SambaNTPassword, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>sambaProfilePath, <a class="indexterm" href="passdb.html#id364001">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>SambaSAMAccount, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a>, <a class="indexterm" href="passdb.html#id360831">Adding User Accounts</a>, <a class="indexterm" href="passdb.html#id360908">Deleting Accounts</a>, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a></dt><dt>sambaSamAccount, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a>, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a>, <a class="indexterm" href="passdb.html#id364001">LDAP Special Attributes for sambaSamAccounts</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>sambaSAMAccount, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>sambaSID, <a class="indexterm" href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a></dt><dt>sambaUNIXIdPool, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>SambaXP conference, <a class="indexterm" href="SambaHA.html#id434596">Technical Discussion</a></dt><dt>samdb interface, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>same domain/workgroup, <a class="indexterm" href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a></dt><dt>Sarbanes-Oxley, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a></dt><dt>scalability, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a>, <a class="indexterm" href="InterdomainTrusts.html#id386823">Features and Benefits</a></dt><dt>scalable, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>scalable backend, <a class="indexterm" href="InterdomainTrusts.html#id386823">Features and Benefits</a></dt><dt>scalable coherent interface (see SCI)</dt><dt>scale, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>scanner module, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>schannel, <a class="indexterm" href="samba-pdc.html#id336727">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt><dt>schema, <a class="indexterm" href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></dt><dt>schema file, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>scp, <a class="indexterm" href="Backup.html#id434193">Rsync</a></dt><dt>script, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>scripted control, <a class="indexterm" href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>scripts, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a>, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>SCSI, <a class="indexterm" href="SambaHA.html#id435490">High-Availability Server Products</a></dt><dt>SeAddUsersPrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>SeAssignPrimaryTokenPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeAuditPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeBackupPrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeChangeNotifyPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>Seclib, <a class="indexterm" href="AccessControls.html#id381286">Viewing File Ownership</a></dt><dt>secondary controller, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>SeCreateGlobalPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeCreatePagefilePrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeCreatePermanentPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeCreateTokenPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>secret, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>secrets.tdb, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a>, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>section name, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt><dt>secure, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a></dt><dt>secure access, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>secure authentication, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>secure communications, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>secured networks, <a class="indexterm" href="securing-samba.html#id385260">Introduction</a></dt><dt>security, <a class="indexterm" href="ServerType.html#id330959">Samba Security Modes</a>, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="securing-samba.html#id385260">Introduction</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dd><dl><dt>controllers, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt><dt>modes, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a></dt><dt>settings, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt></dl></dd><dt>security = user, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>security account, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>Security Account Manager (see SAM)</dt><dt>Security Assertion Markup Language (see SAML)</dt><dt>security context, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>security contexts, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>security credentials, <a class="indexterm" href="idmapper.html#id374021">Backup Domain Controller</a>, <a class="indexterm" href="InterdomainTrusts.html#id387144">Native MS Windows NT4 Trusts Configuration</a></dt><dt>security domain, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>security domains, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>security flaw, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></dt><dt>security hole, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></dt><dt>security identifier, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a> (see SID)</dt><dt>security level, <a class="indexterm" href="ServerType.html#id331998">Server Security (User Level Security)</a></dt><dt>security levels, <a class="indexterm" href="ServerType.html#id330959">Samba Security Modes</a></dt><dt>security mode, <a class="indexterm" href="ServerType.html">Server Types and Security Modes</a>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></dt><dt>Security Mode, <a class="indexterm" href="ServerType.html#id330959">Samba Security Modes</a></dt><dt>security modes, <a class="indexterm" href="ServerType.html#id330959">Samba Security Modes</a></dt><dt>security name-space, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a></dt><dt>security policies, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></dt><dt>security settings, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>security structure, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>security vulnerability, <a class="indexterm" href="securing-samba.html#id386212">Upgrading Samba</a></dt><dt>security-aware, <a class="indexterm" href="CUPS-printing.html#id404106">application/octet-stream Printing</a></dt><dt>SeDebugPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeDiskOperatorPrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>SeEnableDelegationPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeImpersonatePrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeIncreaseBasePriorityPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeIncreaseQuotaPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeLoadDriverPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeLockMemoryPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeMachineAccountPrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a>, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeManageVolumePrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>separate instances, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>separate servers, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>separate shares, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>separate workgroups, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>SePrintOperatorPrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>SeProfileSingleProcessPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeRemoteShutdownPrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a>, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeRestorePrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>server failure, <a class="indexterm" href="SambaHA.html#id434749">Why Is This So Hard?</a></dt><dt>Server Manager, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></dt><dt>Server Manager for Domains, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>Server Message Block (see SMB)</dt><dt>server pool, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a>, <a class="indexterm" href="SambaHA.html#id435168">Restrictive Constraints on Distributed File Systems</a></dt><dt>Server Type, <a class="indexterm" href="ServerType.html#id330822">Server Types</a></dt><dd><dl><dt>Domain Controller, <a class="indexterm" href="FastStart.html#id328803">Domain Controller</a></dt><dt>Domain Member, <a class="indexterm" href="FastStart.html#id328002">Domain Member Server</a>, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>Stand-alone, <a class="indexterm" href="FastStart.html#id326370">Standalone Server</a></dt></dl></dd><dt>server type, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dd><dl><dt>domain member, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a></dt></dl></dd><dt>Server Types, <a class="indexterm" href="idmapper.html#id372830">Samba Server Deployment Types and IDMAP</a></dt><dt>server-mode, <a class="indexterm" href="ServerType.html#id332443">What Makes Samba a Domain Controller?</a></dt><dt>service name, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>service-level, <a class="indexterm" href="classicalprinting.html#id389393">Printing-Related Configuration Parameters</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>services provided, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>SeSecurityPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeShutdownPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>session, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>session services, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dt>session setup, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a>, <a class="indexterm" href="ServerType.html#id331998">Server Security (User Level Security)</a></dt><dt>sessionid.tdb, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>SessionSetupAndX, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>SeSyncAgentPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeSystemEnvironmentPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeSystemProfilePrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeSystemtimePrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>set a password, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>set group id (see SGID)</dt><dt>set printer properties, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>set user id (see SUID)</dt><dt>SeTakeOwnershipPrivilege, <a class="indexterm" href="NetCommand.html#id370027">Administering User Rights and Privileges</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a>, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>SeTcbPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>setdriver, <a class="indexterm" href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a>, <a class="indexterm" href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a></dt><dt>SetPrinter(), <a class="indexterm" href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></dt><dt>setting up directories, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>SeUndockPrivilege, <a class="indexterm" href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></dt><dt>severely impaired, <a class="indexterm" href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a></dt><dt>SFU, <a class="indexterm" href="idmapper.html#id376203">IDMAP, Active Directory, and MS Services for UNIX 3.5</a></dt><dt>SFU 3.5, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a></dt><dt>SGI-RGB, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>SGID, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>shadow, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></dt><dt>shadow copies, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>shadow password file, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>shadow utilities, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a></dt><dt>shadow_copy, <a class="indexterm" href="VFS.html#id416094">shadow_copy</a>, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>shadow_copy module, <a class="indexterm" href="VFS.html#id416094">shadow_copy</a></dt><dt>share, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a>, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a>, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>share access, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a></dt><dt>share ACLs, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>share management, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>share modes, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>share permissions, <a class="indexterm" href="AccessControls.html#id380864">Windows NT4 Workstation/Server</a></dt><dt>Share Permissions, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a></dt><dt>share settings, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt><dt>share stanza controls, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>share-level, <a class="indexterm" href="ServerType.html#id330959">Samba Security Modes</a>, <a class="indexterm" href="ServerType.html#id331249">Share-Level Security</a>, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>share-level ACLs, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>share-mode, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a></dt><dt>share-mode security, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></dt><dt>share-mode server, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a></dt><dt>shared secret, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>shares, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a></dt><dt>shares and files, <a class="indexterm" href="winbind.html#id418709">Requirements</a></dt><dt>share_info.tdb, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a>, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>Sharing, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a></dt><dt>shell scripts, <a class="indexterm" href="classicalprinting.html#id392052">Print Commands</a></dt><dt>shift, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>Shift_JIS, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>shortcuts, <a class="indexterm" href="ClientConfig.html#id346080">TCP/IP Configuration</a>, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>Shortcuts, <a class="indexterm" href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>show-stopper-type, <a class="indexterm" href="NT4Migration.html#id441392">Planning and Getting Started</a></dt><dt>SID, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id336513">The System Cannot Log You On (C000019B)</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a>, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="idmapper.html#id374842">IDMAP_RID with Winbind</a>, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a>, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a>, <a class="indexterm" href="ProfileMgmt.html#id426269">Side Bar Notes</a>, <a class="indexterm" href="ProfileMgmt.html#id426358">Get SID</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a>, <a class="indexterm" href="NT4Migration.html#id442200">Profile Migration/Creation</a></dt><dt>SID management, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>SID-to-GID, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a></dt><dt>SIDs, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>signing, <a class="indexterm" href="samba-pdc.html#id336727">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt><dt>Signing, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>simple access controls, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>simple configuration, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>simple guide, <a class="indexterm" href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></dt><dt>Simple Object Access Protocol (see SOAP)</dt><dt>simple operation, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>simple print server, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt><dt>simple printing, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>simplest</dt><dd><dl><dt>configuration, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt></dl></dd><dt>simplicity, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a></dt><dt>Simplicity is king, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>single DHCP server, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>single repository, <a class="indexterm" href="passdb.html">Account Information Databases</a></dt><dt>single server, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a></dt><dt>single sign-on, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a> (see SSO)</dt><dt>Single Sign-On, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a></dt><dt>single-byte charsets, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>single-logon, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>single-sign-on, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>single-user mode, <a class="indexterm" href="winbind.html#id418709">Requirements</a></dt><dt>slapadd, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a></dt><dt>slapd, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>slapd.conf, <a class="indexterm" href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a>, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>slapd.pem, <a class="indexterm" href="samba-bdc.html#id337967">LDAP Configuration Notes</a></dt><dt>slapindex, <a class="indexterm" href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a></dt><dt>slappasswd, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a></dt><dt>slave servers, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>slow browsing, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>slow network, <a class="indexterm" href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt>slow network browsing, <a class="indexterm" href="NetworkBrowsing.html#id356510">Invalid Cached Share References Affects Network Browsing</a></dt><dt>slow performance, <a class="indexterm" href="speed.html#id452749">Samba Performance is Very Slow</a></dt><dt>smart printers, <a class="indexterm" href="CUPS-printing.html#id398866">Overview</a></dt><dt>SMB, <a class="indexterm" href="ServerType.html#id331998">Server Security (User Level Security)</a>, <a class="indexterm" href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a>, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a>, <a class="indexterm" href="securing-samba.html#id385704">Using Interface Protection</a>, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a>, <a class="indexterm" href="Backup.html#id434031">BackupPC</a>, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a>, <a class="indexterm" href="SambaHA.html#id435235">Server Pool Communications</a>, <a class="indexterm" href="problems.html">Analyzing and Solving Samba Problems</a></dt><dt>SMB encryption, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>SMB locks, <a class="indexterm" href="SambaHA.html#id435235">Server Pool Communications</a></dt><dt>SMB name, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></dt><dt>SMB networking, <a class="indexterm" href="problems.html#id446780">Diagnostics Tools</a></dt><dt>SMB password, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a></dt><dt>SMB Password, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>SMB password encryption, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>smb ports, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>SMB printers, <a class="indexterm" href="CUPS-printing.html#id413852">Administrator Cannot Install Printers for All Local Users</a></dt><dt>SMB requests, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>SMB semantics, <a class="indexterm" href="SambaHA.html#id435046">The Distributed File System Challenge</a></dt><dt>SMB server, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>SMB Server, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>SMB services, <a class="indexterm" href="SambaHA.html#id435168">Restrictive Constraints on Distributed File Systems</a></dt><dt>SMB signing, <a class="indexterm" href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>SMB state information, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>SMB-based messaging, <a class="indexterm" href="NetworkBrowsing.html#netdiscuss">Discussion</a></dt><dt>smb-cdserver.conf, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>smb.conf, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>SMB/CIFS, <a class="indexterm" href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a>, <a class="indexterm" href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a>, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a>, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>SMB/CIFS server, <a class="indexterm" href="passdb.html#id361852">Password Backends</a></dt><dt>smbclient, <a class="indexterm" href="domain-member.html#ads-test-smbclient">Testing with smbclient</a>, <a class="indexterm" href="classicalprinting.html#id394988">Installing Driver Files into [print$]</a>, <a class="indexterm" href="classicalprinting.html#id395182">smbclient to Confirm Driver Installation</a>, <a class="indexterm" href="Backup.html#id434031">BackupPC</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a>, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>smbd, <a class="indexterm" href="install.html#id325180">Starting Samba</a>, <a class="indexterm" href="install.html#id325348">Example Configuration</a>, <a class="indexterm" href="install.html#id325571">Test Your Config File with testparm</a>, <a class="indexterm" href="FastStart.html#id327301">Secure Read-Write File and Print Server</a>, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id363272">Configuring Samba</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374170">NT4-Style Domains (Includes Samba Domains)</a>, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a>, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a>, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a>, <a class="indexterm" href="VFS.html#id415364">extd_audit</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id418852">Testing Things Out</a>, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a>, <a class="indexterm" href="winbind.html#id420170">Linux</a>, <a class="indexterm" href="winbind.html#id420337">Solaris</a>, <a class="indexterm" href="SambaHA.html#id435235">Server Pool Communications</a>, <a class="indexterm" href="largefile.html">Handling Large Directories</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a>, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>smbgroupedit, <a class="indexterm" href="NetCommand.html">Remote and Local Management: The Net Command</a></dt><dt>smbgrpadd.sh, <a class="indexterm" href="groupmapping.html#id367182">Sample smb.conf Add Group Script</a></dt><dt>smbHome, <a class="indexterm" href="passdb.html#id364001">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>smbldap-groupadd, <a class="indexterm" href="NetCommand.html#id368450">Adding or Creating a New Group</a></dt><dt>smbldap-tools, <a class="indexterm" href="passdb.html#id362365">ldapsam</a></dt><dt>smbpasswd, <a class="indexterm" href="ServerType.html#id331603">Example Configuration</a>, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id342799">Configure smb.conf</a>, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a>, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a>, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a>, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a class="indexterm" href="passdb.html#id360511">User Account Management</a>, <a class="indexterm" href="passdb.html#id361730">Account Import/Export</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="passdb.html#id362365">ldapsam</a>, <a class="indexterm" href="passdb.html#id362646">Schema and Relationship to the RFC 2307 posixAccount</a>, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a class="indexterm" href="PolicyMgmt.html#id423743">Samba PDC</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440518">Passdb Backends and Authentication</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440701">New Schema</a></dt><dt>smbpasswd format, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a></dt><dt>smbpasswd plaintext database, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>SMBsessetupX, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>smbspool, <a class="indexterm" href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></dt><dt>smbstatus, <a class="indexterm" href="CUPS-printing.html#id413674">Avoid Being Connected to the Samba Server as the Wrong User</a>, <a class="indexterm" href="bugreport.html#id448498">Attaching to a Running Process</a></dt><dt>SMBtconX, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a></dt><dt>smbusers, <a class="indexterm" href="securing-samba.html#id385646">User-Based Protection</a></dt><dt>SMS, <a class="indexterm" href="problems.html#id447261">The Windows Network Monitor</a></dt><dt>Snapshots, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>sniffer, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="problems.html#id446780">Diagnostics Tools</a></dt><dt>socket, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>socket address, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>SOFTQ printing system, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>Solaris, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>Solaris 9, <a class="indexterm" href="winbind.html#id420337">Solaris</a></dt><dt>source code, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>space character, <a class="indexterm" href="groupmapping.html#id367467">Adding Groups Fails</a></dt><dt>special account, <a class="indexterm" href="rights.html">User Rights and Privileges</a>, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>special section, <a class="indexterm" href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></dt><dt>special sections, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>special stanza, <a class="indexterm" href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></dt><dt>specific restrictions, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a></dt><dt>Specify an IP address, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>spinning process, <a class="indexterm" href="bugreport.html#id448498">Attaching to a Running Process</a></dt><dt>spool, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a></dt><dd><dl><dt>directory, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt></dl></dd><dt>spool files, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>spooled file, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>spooler., <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a></dt><dt>spooling, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a>, <a class="indexterm" href="CUPS-printing.html#id399907">Central Spooling vs. “Peer-to-Peer” Printing</a></dt><dd><dl><dt>central, <a class="indexterm" href="CUPS-printing.html#id399907">Central Spooling vs. “Peer-to-Peer” Printing</a></dt><dt>peer-to-peer, <a class="indexterm" href="CUPS-printing.html#id399907">Central Spooling vs. “Peer-to-Peer” Printing</a></dt></dl></dd><dt>spooling path, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a></dt><dt>spooling-only, <a class="indexterm" href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a></dt><dt>SPOOLSS, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>SQL, <a class="indexterm" href="ChangeNotes.html#id349400">Passdb Changes</a></dt><dt>SQUID, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>SRV records, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt><dt>SRV RR, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a></dt><dt>SrvMgr.exe, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>srvmgr.exe, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>SRVTOOLS.EXE, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></dt><dt>ssh, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>SSH, <a class="indexterm" href="classicalprinting.html#id395182">smbclient to Confirm Driver Installation</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>SSL, <a class="indexterm" href="SWAT.html#id443982">Securing SWAT through SSL</a></dt><dt>SSO, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a>, <a class="indexterm" href="passdb.html#id358700">Comments Regarding LDAP</a></dt><dt>stability, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>stack trace, <a class="indexterm" href="bugreport.html#id448377">Internal Errors</a></dt><dt>stale network links, <a class="indexterm" href="NetworkBrowsing.html#id356510">Invalid Cached Share References Affects Network Browsing</a></dt><dt>stand-alone server, <a class="indexterm" href="idmapper.html#id372854">Standalone Samba Server</a></dt><dt>standalone, <a class="indexterm" href="ServerType.html#id330822">Server Types</a>, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>standalone filter, <a class="indexterm" href="CUPS-printing.html#id402868">pstoraster</a></dt><dt>standalone server, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="StandAloneServer.html">Standalone Servers</a>, <a class="indexterm" href="StandAloneServer.html#id344722">Features and Benefits</a>, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="passdb.html#id360831">Adding User Accounts</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a>, <a class="indexterm" href="NT4Migration.html#id441806">Domain Layout</a></dt><dt>standard confirmation, <a class="indexterm" href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a></dt><dt>stanza, <a class="indexterm" href="install.html#id324334">Configuration File Syntax</a>, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>stapling, <a class="indexterm" href="CUPS-printing.html#id402708">pstops</a></dt><dt>StartDocPrinter, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>starting samba</dt><dd><dl><dt>nmbd, <a class="indexterm" href="install.html#id325180">Starting Samba</a>, <a class="indexterm" href="FastStart.html#id327301">Secure Read-Write File and Print Server</a>, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a></dt><dt>smbd, <a class="indexterm" href="install.html#id325180">Starting Samba</a>, <a class="indexterm" href="FastStart.html#id327301">Secure Read-Write File and Print Server</a>, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a></dt><dt>winbindd, <a class="indexterm" href="install.html#id325180">Starting Samba</a>, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a></dt></dl></dd><dt>startsmb, <a class="indexterm" href="compiling.html#id450403">Alternative: Starting smbd as a Daemon</a></dt><dt>StartTLS, <a class="indexterm" href="passdb.html#id363782">Security and sambaSamAccount</a></dt><dt>startup</dt><dd><dl><dt>process, <a class="indexterm" href="install.html#id325180">Starting Samba</a></dt></dl></dd><dt>startup script, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>state, <a class="indexterm" href="SambaHA.html#id434749">Why Is This So Hard?</a></dt><dt>state information, <a class="indexterm" href="SambaHA.html#id434749">Why Is This So Hard?</a></dt><dt>state of knowledge, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>static WINS entries, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>status32 codes, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>sticky bit, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a>, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>storage mechanism, <a class="indexterm" href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dt>storage methods, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a></dt><dt>stphoto2.ppd, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>strange delete semantics, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>stripped of comments, <a class="indexterm" href="SWAT.html#id443273">Features and Benefits</a></dt><dt>strptime, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a></dt><dt>stunnel, <a class="indexterm" href="SWAT.html#id443982">Securing SWAT through SSL</a></dt><dt>su, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>subnet mask, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>subnets, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></dt><dt>subscription, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>subsuffix parameters, <a class="indexterm" href="upgrading-to-3.0.html#id441075">New Suffix for Searching</a></dt><dt>Subversion, <a class="indexterm" href="compiling.html#id449315">Introduction</a>, <a class="indexterm" href="compiling.html#id449397">Access via Subversion</a></dt><dt>successful join, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt>successful migration, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>sufficient, <a class="indexterm" href="pam.html#id429016">Anatomy of /etc/pam.d Entries</a></dt><dt>suffixes, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>SUID, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>Sun, <a class="indexterm" href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dt>Sun ONE iDentity server, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>Sun Solaris, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>SUN-Raster, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>support, <a class="indexterm" href="ch47.html">Samba Support</a></dt><dt>support exposure, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>SVN</dt><dd><dl><dt>web, <a class="indexterm" href="compiling.html#id449365">Access via ViewCVS</a></dt></dl></dd><dt>SVRTOOLS.EXE, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dt>SWAT, <a class="indexterm" href="install.html#id324296">Configuring Samba (smb.conf)</a>, <a class="indexterm" href="SWAT.html">SWAT: The Samba Web Administration Tool</a></dt><dt>swat, <a class="indexterm" href="install.html#id325726">SWAT</a>, <a class="indexterm" href="SWAT.html#id443404">Validate SWAT Installation</a>, <a class="indexterm" href="SWAT.html#id443466">Locating the SWAT File</a>, <a class="indexterm" href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dd><dl><dt>enable, <a class="indexterm" href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>security, <a class="indexterm" href="SWAT.html#id443982">Securing SWAT through SSL</a></dt></dl></dd><dt>SWAT binary support, <a class="indexterm" href="SWAT.html#id443404">Validate SWAT Installation</a></dt><dt>swat command-line options, <a class="indexterm" href="SWAT.html#id443466">Locating the SWAT File</a></dt><dt>SWAT permission allowed, <a class="indexterm" href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>symbolic links, <a class="indexterm" href="msdfs.html#id388393">Features and Benefits</a></dt><dt>synchronization, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a>, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>synchronization problems, <a class="indexterm" href="winbind.html#id417589">Introduction</a></dt><dt>synchronize, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="NetworkBrowsing.html#id353486">Use of the Remote Browse Sync Parameter</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>synchronized, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></dt><dt>syntax tolerates spelling errors, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a></dt><dt>system access controls, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a></dt><dt>system accounts, <a class="indexterm" href="passdb.html#id360511">User Account Management</a></dt><dt>system administrator, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>system groups, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>system interface scripts, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>system policies, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></dt><dt>System Policy Editor, <a class="indexterm" href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a>, <a class="indexterm" href="PolicyMgmt.html#id423192">Administration of Windows 200x/XP Policies</a>, <a class="indexterm" href="ProfileMgmt.html#id426639">MS Windows 9x/Me</a></dt><dt>system security, <a class="indexterm" href="groupmapping.html#id366379">Applicable Only to Versions Earlier than 3.0.11</a></dt><dt>system tools, <a class="indexterm" href="Backup.html#id433904">Features and Benefits</a></dt><dt>SYSV, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>SYSVOL, <a class="indexterm" href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></dt></dl></div><div class="indexdiv"><h3>T</h3><dl><dt>tail, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a></dt><dt>take ownership, <a class="indexterm" href="rights.html#id377149">Description of Privileges</a></dt><dt>Take Ownership, <a class="indexterm" href="AccessControls.html#id381286">Viewing File Ownership</a></dt><dt>tape, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>tar, <a class="indexterm" href="Backup.html#id434031">BackupPC</a></dt><dt>tarball, <a class="indexterm" href="install.html#id325348">Example Configuration</a></dt><dt>tattoo effect, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>TCP, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a>, <a class="indexterm" href="SambaHA.html#id434749">Why Is This So Hard?</a></dt><dt>TCP data streams, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a></dt><dt>TCP failover, <a class="indexterm" href="SambaHA.html#id434749">Why Is This So Hard?</a></dt><dt>TCP port, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dt>TCP port 139, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>TCP port 445, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dt>tcp ports, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>TCP/IP, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a>, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a>, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></dt><dt>TCP/IP configuration, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>TCP/IP configuration panel, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>TCP/IP protocol configuration, <a class="indexterm" href="ClientConfig.html#id346039">Technical Details</a></dt><dt>TCP/IP protocol settings, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>TCP/IP protocol stack, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></dt><dt>TCP/IP-only, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></dt><dt>tcpdump, <a class="indexterm" href="problems.html#id447073">Tcpdump</a></dt><dt>TDB, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a>, <a class="indexterm" href="classicalprinting.html#id395790">Running rpcclient with setdriver</a>, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a>, <a class="indexterm" href="CUPS-printing.html#id410454">Trivial Database Files</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dd><dl><dt>backing up (see tdbbackup)</dt></dl></dd><dt>tdb, <a class="indexterm" href="winbind.html#id418479">User and Group ID Allocation</a>, <a class="indexterm" href="SambaHA.html#id435235">Server Pool Communications</a>, <a class="indexterm" href="tdb.html#id448693">Features and Benefits</a></dt><dt>tdb data files, <a class="indexterm" href="upgrading-to-3.0.html#id440092">TDB Data Files</a></dt><dt>TDB database, <a class="indexterm" href="classicalprinting.html#id395292">Running rpcclient with adddriver</a></dt><dt>TDB database files, <a class="indexterm" href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></dt><dt>tdb file backup, <a class="indexterm" href="upgrading-to-3.0.html#id440092">TDB Data Files</a></dt><dt>tdb file descriptions, <a class="indexterm" href="install.html#tdbdocs">TDB Database File Information</a>, <a class="indexterm" href="upgrading-to-3.0.html#id440092">TDB Data Files</a></dt><dt>tdb file locations, <a class="indexterm" href="install.html#tdbdocs">TDB Database File Information</a></dt><dt>tdb files, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a></dt><dt>tdbbackup, <a class="indexterm" href="CUPS-printing.html#id410623">Using tdbbackup</a>, <a class="indexterm" href="speed.html#id452660">Corrupt tdb Files</a></dt><dt>tdbdump, <a class="indexterm" href="AccessControls.html#id380718">Access Controls on Shares</a></dt><dt>tdbsam, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html">Account Information Databases</a>, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a>, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="passdb.html#id362220">tdbsam</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>tdbsam databases, <a class="indexterm" href="passdb.html#id361852">Password Backends</a></dt><dt>technical reviewers, <a class="indexterm" href="cfgsmarts.html">Advanced Configuration Techniques</a></dt><dt>Telnet, <a class="indexterm" href="passdb.html#id358119">Advantages of Non-Encrypted Passwords</a></dt><dt>telnet logins, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a></dt><dt>template, <a class="indexterm" href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></dt><dt>temporary location, <a class="indexterm" href="classicalprinting.html#id392052">Print Commands</a></dt><dt>terminal server, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>Terminal Server, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>Testing Server Setup, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>testparm, <a class="indexterm" href="install.html#id325571">Test Your Config File with testparm</a>, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="classicalprinting.html#id389487">Simple Print Configuration</a>, <a class="indexterm" href="classicalprinting.html#id389756">Verifying Configuration with testparm</a>, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a>, <a class="indexterm" href="classicalprinting.html#id390291">Extended Printing Configuration</a>, <a class="indexterm" href="diagnosis.html#id444853">Assumptions</a>, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a>, <a class="indexterm" href="problems.html#id446829">Debugging with Samba Itself</a></dt><dt>tethereal, <a class="indexterm" href="problems.html#id447073">Tcpdump</a></dt><dt>text/plain, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></dt><dt>texttops, <a class="indexterm" href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></dt><dt>thin client, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>ThinLinc, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>tid, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt><dt>TIFF, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>TightVNC, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>time difference, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a></dt><dt>time format, <a class="indexterm" href="passdb.html#id360988">Changing User Accounts</a></dt><dt>time-to-live (see TTL)</dt><dt>tool, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a></dt><dt>tools, <a class="indexterm" href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a></dt><dt>tools\reskit\netadmin\poledit, <a class="indexterm" href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a></dt><dt>traditional printing, <a class="indexterm" href="classicalprinting.html#id392635">Custom Print Commands</a></dt><dt>training course, <a class="indexterm" href="Backup.html#id433944">Discussion of Backup Solutions</a></dt><dt>transfer differences, <a class="indexterm" href="Backup.html#id434193">Rsync</a></dt><dt>transformation, <a class="indexterm" href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></dt><dt>transitive, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>transparent access, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>transparently reconnected, <a class="indexterm" href="SambaHA.html#id434627">The Ultimate Goal</a></dt><dt>transport connection loss, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>Transport Layer Seccurity, TLS</dt><dd><dl><dt>Configuring, <a class="indexterm" href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></dt><dt>Introduction, <a class="indexterm" href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt></dl></dd><dt>transport layer security (see TLS)</dt><dt>Transport Layer Security, TLS</dt><dd><dl><dt>Testing, <a class="indexterm" href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></dt><dt>Troubleshooting, <a class="indexterm" href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></dt></dl></dd><dt>trigger, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>trivial database, <a class="indexterm" href="passdb.html#id357165">New Account Storage Systems</a> (see TDB)</dt><dt>Trivial Database, <a class="indexterm" href="tdb.html#id448693">Features and Benefits</a></dt><dt>troubleshoot, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a></dt><dt>troubleshooting, <a class="indexterm" href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></dt><dt>Tru64 UNIX, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>trust, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></dt><dd><dl><dt>account, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></dt></dl></dd><dt>trust account, <a class="indexterm" href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a>, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></dt><dd><dl><dt>interdomain, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt><dt>machine, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a></dt></dl></dd><dt>trust account password, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a></dt><dt>trust accounts, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a></dt><dt>trust established, <a class="indexterm" href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></dt><dt>trust relationship, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a>, <a class="indexterm" href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a>, <a class="indexterm" href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a>, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>trust relationships, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="InterdomainTrusts.html#id386823">Features and Benefits</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>trusted, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>trusted domain, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a>, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a>, <a class="indexterm" href="winbind.html#id418126">Name Service Switch</a></dt><dt>trusted domain name, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>trusted party, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>trusting domain, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></dt><dt>trusting party, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>trusts, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>TTL, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>turn oplocks off, <a class="indexterm" href="locking.html#id384149">Advanced Samba Oplocks Parameters</a></dt><dt>turnkey solution, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></dt><dt>two-up, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>two-way</dt><dd><dl><dt>propagation, <a class="indexterm" href="samba-bdc.html#id336899">Features and Benefits</a></dt></dl></dd><dt>two-way trust, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a>, <a class="indexterm" href="InterdomainTrusts.html#id387144">Native MS Windows NT4 Trusts Configuration</a>, <a class="indexterm" href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></dt></dl></div><div class="indexdiv"><h3>U</h3><dl><dt>UCS-2, <a class="indexterm" href="unicode.html#id432847">Japanese Charsets</a></dt><dt>UDP, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id353180">Multiple Interfaces</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></dt><dt>UDP port 137, <a class="indexterm" href="integrate-ms-networks.html#id430965">Background Information</a></dt><dt>udp ports, <a class="indexterm" href="winbind.html#id419601">Join the Samba Server to the PDC Domain</a></dt><dt>UDP unicast, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>UID, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a>, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a>, <a class="indexterm" href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a>, <a class="indexterm" href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#id360620">Listing User and Machine Accounts</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a>, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id373803">Primary Domain Controller</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id417844">Handling of Foreign SIDs</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>uid, <a class="indexterm" href="passdb.html#id362853">OpenLDAP Configuration</a></dt><dt>UID numbers, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></dt><dt>UID range, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dt>unauthorized, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>unauthorized access, <a class="indexterm" href="AccessControls.html">File, Directory, and Share Access Controls</a></dt><dt>UNC notation, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a></dt><dt>unexpected.tdb, <a class="indexterm" href="CUPS-printing.html#id410254">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>unicast, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></dt><dt>unicode, <a class="indexterm" href="unicode.html#id432573">What Are Charsets and Unicode?</a></dt><dt>Unicode, <a class="indexterm" href="unicode.html#id432692">Samba and Charsets</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>Unicode UTF-8, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>unified logon, <a class="indexterm" href="winbind.html#id417589">Introduction</a></dt><dt>UNIX, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dd><dl><dt>server, <a class="indexterm" href="ServerType.html#id330679">Features and Benefits</a></dt></dl></dd><dt>UNIX account, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt>unix charset, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>UNIX Domain Socket, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>UNIX domain socket, <a class="indexterm" href="winbind.html#id417956">How Winbind Works</a></dt><dt>UNIX file system access controls, <a class="indexterm" href="AccessControls.html#id378519">Features and Benefits</a></dt><dt>UNIX group, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>UNIX groups, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>UNIX home directories, <a class="indexterm" href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></dt><dt>UNIX host system, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>UNIX ID, <a class="indexterm" href="winbind.html#id418479">User and Group ID Allocation</a></dt><dt>UNIX locking, <a class="indexterm" href="locking.html#id383174">Discussion</a></dt><dt>UNIX login ID, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>UNIX permissions, <a class="indexterm" href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></dt><dt>UNIX printer, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>UNIX printing, <a class="indexterm" href="classicalprinting.html#id389202">Technical Introduction</a></dt><dt>UNIX system account, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a></dt><dt>UNIX system accounts, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>UNIX system files, <a class="indexterm" href="Backup.html#id433904">Features and Benefits</a></dt><dt>UNIX user identifier (see UID)</dt><dt>UNIX users, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>UNIX-style encrypted passwords, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a></dt><dt>UNIX-user database, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a></dt><dt>UNIX/Linux group, <a class="indexterm" href="groupmapping.html#id365690">Warning: User Private Group Problems</a></dt><dt>UNIX/Linux user account, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a></dt><dt>unlink calls, <a class="indexterm" href="VFS.html#id415677">recycle</a></dt><dt>unlinked, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>unmapped groups, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a></dt><dt>unmapped users, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a></dt><dt>unprivileged account names, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt>unsigned drivers, <a class="indexterm" href="CUPS-printing.html#id413821">Windows 200x/XP Local Security Policies</a></dt><dt>unstoppable services, <a class="indexterm" href="SambaHA.html#id434627">The Ultimate Goal</a></dt><dt>unsupported encryption, <a class="indexterm" href="domain-member.html#id343732">Possible Errors</a></dt><dt>unsupported software, <a class="indexterm" href="ch47.html#id454025">Commercial Support</a></dt><dt>updates, <a class="indexterm" href="securing-samba.html#id386212">Upgrading Samba</a></dt><dt>upload drivers, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>uploaded driver, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>uploaded drivers, <a class="indexterm" href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a></dt><dt>uploading, <a class="indexterm" href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a></dt><dt>upper-case, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a></dt><dt>uppercase, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#id344384">Adding Machine to Domain Fails</a>, <a class="indexterm" href="largefile.html">Handling Large Directories</a></dt><dt>uppercase character, <a class="indexterm" href="groupmapping.html#id367467">Adding Groups Fails</a></dt><dt>USB, <a class="indexterm" href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></dt><dt>use computer anywhere, <a class="indexterm" href="unicode.html#id432528">Features and Benefits</a></dt><dt>user, <a class="indexterm" href="ChangeNotes.html#id348997">User and Group Changes</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>user access management, <a class="indexterm" href="domain-member.html#id339970">Features and Benefits</a></dt><dt>user account, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="passdb.html#id360511">User Account Management</a>, <a class="indexterm" href="passdb.html#TOSHARG-acctflags">Account Flags Management</a>, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a>, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a></dt><dd><dl><dt>Adding/Deleting, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a></dt></dl></dd><dt>user account database, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>user accounts, <a class="indexterm" href="passdb.html#id358952">Caution Regarding LDAP and Samba</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>User Accounts</dt><dd><dl><dt>Adding/Deleting, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a></dt></dl></dd><dt>user and group, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>user and trust accounts, <a class="indexterm" href="passdb.html">Account Information Databases</a></dt><dt>user attributes, <a class="indexterm" href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></dt><dt>user authentication, <a class="indexterm" href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></dt><dt>user database, <a class="indexterm" href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a>, <a class="indexterm" href="passdb.html#id361898">Plaintext</a></dt><dt>user encoded, <a class="indexterm" href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></dt><dt>user groups, <a class="indexterm" href="ch47.html#id453826">Free Support</a></dt><dt>user logons, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>user management, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a>, <a class="indexterm" href="NetCommand.html#id367921">Overview</a>, <a class="indexterm" href="NetCommand.html#id368272">UNIX and Windows Group Management</a></dt><dt>User Management, <a class="indexterm" href="passdb.html#pdbeditthing">The pdbedit Tool</a>, <a class="indexterm" href="passdb.html#id363677">Accounts and Groups Management</a></dt><dt>User Manager, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a class="indexterm" href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a>, <a class="indexterm" href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></dt><dt>User Manager for Domains, <a class="indexterm" href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></dt><dt>user or group, <a class="indexterm" href="rights.html#id376833">Using the “net rpc rights” Utility</a></dt><dt>user profiles, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>User Rights and Privileges, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>user-level, <a class="indexterm" href="ServerType.html#id330959">Samba Security Modes</a>, <a class="indexterm" href="ServerType.html#id331101">User Level Security</a></dt><dt>User-level access control, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>user-level security, <a class="indexterm" href="passdb.html#id357986">Advantages of Encrypted Passwords</a></dt><dt>user-mode security, <a class="indexterm" href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></dt><dt>user.DAT, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a>, <a class="indexterm" href="ProfileMgmt.html#id425996">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></dt><dt>user.MAN, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>User.MAN, <a class="indexterm" href="ProfileMgmt.html#id426418">Mandatory Profiles</a></dt><dt>useradd, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a>, <a class="indexterm" href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt>username, <a class="indexterm" href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></dt><dt>username and password, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>username map, <a class="indexterm" href="NetCommand.html#id369950">User Mapping</a></dt><dt>userPassword, <a class="indexterm" href="passdb.html#id363105">Initialize the LDAP Database</a></dt><dt>users, <a class="indexterm" href="PolicyMgmt.html#id422418">Features and Benefits</a></dt><dt>UsrMgr.exe, <a class="indexterm" href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt>UTF-8, <a class="indexterm" href="unicode.html#id432692">Samba and Charsets</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>UTF-8 encoding, <a class="indexterm" href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></dt></dl></div><div class="indexdiv"><h3>V</h3><dl><dt>valid username/password, <a class="indexterm" href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></dt><dt>valid users, <a class="indexterm" href="diagnosis.html#id445131">The Tests</a></dt><dt>validate, <a class="indexterm" href="install.html#id325571">Test Your Config File with testparm</a>, <a class="indexterm" href="diagnosis.html#id444817">Introduction</a></dt><dt>validate every backup, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>validation, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a>, <a class="indexterm" href="PolicyMgmt.html">System and Account Policies</a></dt><dt>vendor-provided drivers, <a class="indexterm" href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a></dt><dt>verifiable, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a></dt><dt>verify, <a class="indexterm" href="classicalprinting.html#id389939">Rapid Configuration Validation</a></dt><dt>version control, <a class="indexterm" href="VFS.html#id416094">shadow_copy</a></dt><dt>VFS, <a class="indexterm" href="samba-pdc.html#id334811">Domain Control: Example Configuration</a>, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>VFS module, <a class="indexterm" href="VFS.html#id416094">shadow_copy</a>, <a class="indexterm" href="ProfileMgmt.html#id426418">Mandatory Profiles</a></dt><dt>VFS modules, <a class="indexterm" href="VFS.html#id414746">Discussion</a>, <a class="indexterm" href="VFS.html#id416927">VFS Modules Available Elsewhere</a></dt><dt>vgcreate, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>vgdisplay, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>vipw, <a class="indexterm" href="samba-pdc.html#id336359">“$” Cannot Be Included in Machine Name</a>, <a class="indexterm" href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></dt><dt>Virtual File System (see VFS)</dt><dt>virtual server, <a class="indexterm" href="SambaHA.html#id434861">The Front-End Challenge</a>, <a class="indexterm" href="SambaHA.html#id435417">A Simple Solution</a></dt><dt>virus scanner, <a class="indexterm" href="VFS.html#id414746">Discussion</a></dt><dt>Visual Studio, <a class="indexterm" href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a></dt><dt>vital task, <a class="indexterm" href="SambaHA.html#id434489">Features and Benefits</a></dt><dt>VNC/RFB, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>volume group, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>volunteers, <a class="indexterm" href="problems.html#id447602">Getting Mailing List Help</a></dt><dt>vscan, <a class="indexterm" href="VFS.html#id417002">vscan</a></dt><dt>vuid, <a class="indexterm" href="SambaHA.html#id434948">Demultiplexing SMB Requests</a></dt></dl></div><div class="indexdiv"><h3>W</h3><dl><dt>W32X86, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a>, <a class="indexterm" href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a>, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a></dt><dt>W32X86/2, <a class="indexterm" href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a></dt><dt>WAN, <a class="indexterm" href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a class="indexterm" href="locking.html#id383934">Slow and/or Unreliable Networks</a></dt><dt>wbinfo, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>Web-based configuration, <a class="indexterm" href="SWAT.html">SWAT: The Samba Web Administration Tool</a></dt><dt>WebClient, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>Welcome, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></dt><dt>well known RID, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>well-controlled network, <a class="indexterm" href="NT4Migration.html#id441992">Server Share and Directory Layout</a></dt><dt>well-known RID, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></dt><dt>wide-area network bandwidth, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt><dt>win election, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></dt><dt>Win32 printing API, <a class="indexterm" href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></dt><dt>WIN40, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a>, <a class="indexterm" href="classicalprinting.html#id394855">Obtaining Driver Files from Windows Client [print$] Shares</a>, <a class="indexterm" href="CUPS-printing.html#id407173">Caveats to Be Considered</a></dt><dt>winbind, <a class="indexterm" href="domain-member.html#id342539">Why Is This Better Than security = server?</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="idmapper.html#id374087">Examples of IDMAP Backend Usage</a>, <a class="indexterm" href="idmapper.html#id374170">NT4-Style Domains (Includes Samba Domains)</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id419410">Configure smb.conf</a></dt><dt>Winbind, <a class="indexterm" href="StandAloneServer.html#id344808">Background</a>, <a class="indexterm" href="winbind.html#id417805">Target Uses</a>, <a class="indexterm" href="winbind.html#id418082">Microsoft Active Directory Services</a>, <a class="indexterm" href="winbind.html#id418338">Pluggable Authentication Modules</a>, <a class="indexterm" href="winbind.html#id418479">User and Group ID Allocation</a>, <a class="indexterm" href="winbind.html#id418546">Result Caching</a>, <a class="indexterm" href="winbind.html#id418602">Introduction</a>, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a class="indexterm" href="winbind.html#id419308">NSS Winbind on AIX</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a>, <a class="indexterm" href="winbind.html#id420659">Linux/FreeBSD-Specific PAM Configuration</a>, <a class="indexterm" href="winbind.html#id421094">Conclusion</a>, <a class="indexterm" href="pam.html">PAM-Based Distributed Authentication</a>, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a>, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>Winbind architecture, <a class="indexterm" href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></dt><dt>Winbind hooks, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>Winbind services, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a></dt><dt>Winbind-based authentication, <a class="indexterm" href="pam.html">PAM-Based Distributed Authentication</a></dt><dt>winbind.so, <a class="indexterm" href="winbind.html#id420982">Solaris-Specific Configuration</a></dt><dt>winbindd, <a class="indexterm" href="install.html#id325180">Starting Samba</a>, <a class="indexterm" href="install.html#id325571">Test Your Config File with testparm</a>, <a class="indexterm" href="FastStart.html#id328056">Example Configuration</a>, <a class="indexterm" href="samba-bdc.html#id339066">Example Configuration</a>, <a class="indexterm" href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a>, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a>, <a class="indexterm" href="groupmapping.html#id364981">Features and Benefits</a>, <a class="indexterm" href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a>, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a>, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a>, <a class="indexterm" href="InterdomainTrusts.html">Interdomain Trust Relationships</a>, <a class="indexterm" href="winbind.html#id417272">Features and Benefits</a>, <a class="indexterm" href="winbind.html#id417956">How Winbind Works</a>, <a class="indexterm" href="winbind.html#id418709">Requirements</a>, <a class="indexterm" href="winbind.html#id418852">Testing Things Out</a>, <a class="indexterm" href="winbind.html#id418935">Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris</a>, <a class="indexterm" href="winbind.html#id419410">Configure smb.conf</a>, <a class="indexterm" href="winbind.html#id419828">Starting and Testing the winbindd Daemon</a>, <a class="indexterm" href="winbind.html#id420337">Solaris</a>, <a class="indexterm" href="winbind.html#id420500">Configure Winbind and PAM</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a></dt><dt>winbindd daemon, <a class="indexterm" href="winbind.html#id420170">Linux</a></dt><dt>Windows, <a class="indexterm" href="idmapper.html">Identity Mapping (IDMAP)</a>, <a class="indexterm" href="unicode.html#id432968">Basic Parameter Setting</a></dt><dt>Windows 2000, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#ads-test-server">Testing Server Setup</a>, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a>, <a class="indexterm" href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></dt><dt>Windows 2000 Professional TCP/IP, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>Windows 2000 server, <a class="indexterm" href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></dt><dt>Windows 2003, <a class="indexterm" href="domain-member.html#id342981">Configure /etc/krb5.conf</a>, <a class="indexterm" href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a></dt><dt>Windows 200x/XP, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>Windows 9x/Me, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a>, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a>, <a class="indexterm" href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></dt><dt>Windows 9x/Me/XP Home, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>Windows account management, <a class="indexterm" href="winbind.html#id417666">What Winbind Provides</a></dt><dt>Windows client, <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>Windows client failover, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>Windows domain, <a class="indexterm" href="upgrading-to-3.0.html#id440430">Changes in Behavior</a></dt><dt>Windows Explorer, <a class="indexterm" href="NetworkBrowsing.html#id354972">Problem Resolution</a>, <a class="indexterm" href="classicalprinting.html#id394484">Identifying Driver Files</a></dt><dt>Windows group, <a class="indexterm" href="groupmapping.html">Group Mapping: MS Windows and UNIX</a>, <a class="indexterm" href="groupmapping.html#id365690">Warning: User Private Group Problems</a>, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a>, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>Windows group account, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>Windows groups, <a class="indexterm" href="NetCommand.html#id368629">Mapping Windows Groups to UNIX Groups</a></dt><dt>Windows Internet Name Server (see WINS)</dt><dt>Windows Logon, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>Windows Me TCP/IP, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>Windows Millennium, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>Windows Millennium edition (Me) TCP/IP, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>Windows network clients, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a></dt><dt>Windows NT domain name, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Windows NT PostScript driver, <a class="indexterm" href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></dt><dt>Windows NT Server, <a class="indexterm" href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt>Windows NT/2000/XP, <a class="indexterm" href="classicalprinting.html#id395482">Check Samba for Driver Recognition</a></dt><dt>Windows NT/200x, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a>, <a class="indexterm" href="winbind.html#id418602">Introduction</a></dt><dt>Windows NT/200x/XP, <a class="indexterm" href="classicalprinting.html#id390748">The [global] Section</a></dt><dt>Windows NT/200x/XP Professional, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a class="indexterm" href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id348714">Common Errors</a></dt><dt>Windows NT3.10, <a class="indexterm" href="samba-bdc.html#id337275">Essential Background Information</a></dt><dt>Windows NT4, <a class="indexterm" href="AccessControls.html#id380864">Windows NT4 Workstation/Server</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>Windows NT4 domains, <a class="indexterm" href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></dt><dt>Windows NT4 Server, <a class="indexterm" href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></dt><dt>Windows NT4/200X, <a class="indexterm" href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></dt><dt>Windows NT4/200x, <a class="indexterm" href="groupmapping.html#id365375">Discussion</a></dt><dt>Windows NT4/200x/XP, <a class="indexterm" href="samba-bdc.html#id338488">NetBIOS Over TCP/IP Enabled</a>, <a class="indexterm" href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a>, <a class="indexterm" href="AccessControls.html#id380962">Windows 200x/XP</a></dt><dt>Windows NT4/2kX/XPPro, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>Windows PPD, <a class="indexterm" href="CUPS-printing.html#id410956">690 “Perfect” Printers</a></dt><dt>Windows privilege model, <a class="indexterm" href="rights.html#id376570">Rights Management Capabilities</a></dt><dt>Windows Registry, <a class="indexterm" href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dt>windows registry settings, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dd><dl><dt>default profile locations, <a class="indexterm" href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a>, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></dt><dt>profile path, <a class="indexterm" href="ProfileMgmt.html#id424704">Windows 9x/Me Profile Setup</a></dt><dt>roaming profiles, <a class="indexterm" href="ProfileMgmt.html#id424492">Disabling Roaming Profile Support</a></dt></dl></dd><dt>Windows Resource Kit, <a class="indexterm" href="ProfileMgmt.html#id424492">Disabling Roaming Profile Support</a></dt><dt>Windows Security Identifiers (see SID)</dt><dt>Windows Terminal server, <a class="indexterm" href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></dt><dt>Windows Terminal Server, <a class="indexterm" href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></dt><dt>Windows user, <a class="indexterm" href="rights.html">User Rights and Privileges</a></dt><dt>Windows user accounts, <a class="indexterm" href="NetCommand.html#id369648">UNIX and Windows User Management</a></dt><dt>Windows Vista, <a class="indexterm" href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></dt><dt>Windows workstation., <a class="indexterm" href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></dt><dt>Windows XP Home, <a class="indexterm" href="passdb.html#id357700">Important Notes About Security</a></dt><dt>Windows XP Home edition, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id335736">The Special Case of MS Windows XP Home Edition</a>, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></dt><dt>Windows XP Home Edition, <a class="indexterm" href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></dt><dt>Windows XP Professional, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="classicalprinting.html#id389000">Features and Benefits</a></dt><dt>Windows XP Professional TCP/IP, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a></dt><dt>Windows XP TCP/IP, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a></dt><dt>Windows95/98/ME, <a class="indexterm" href="classicalprinting.html#id395482">Check Samba for Driver Recognition</a></dt><dt>winnt.adm, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>WINS, <a class="indexterm" href="samba-pdc.html#id332816">Features and Benefits</a>, <a class="indexterm" href="samba-pdc.html#id333888">Domain Controller Types</a>, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a>, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a>, <a class="indexterm" href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a>, <a class="indexterm" href="ClientConfig.html#id346148">MS Windows XP Professional</a>, <a class="indexterm" href="ClientConfig.html#id346766">MS Windows 2000</a>, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a>, <a class="indexterm" href="NetworkBrowsing.html">Network Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id349822">Features and Benefits</a>, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a>, <a class="indexterm" href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a>, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a>, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a>, <a class="indexterm" href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id355365">Behavior of Cross-Subnet Browsing</a>, <a class="indexterm" href="integrate-ms-networks.html#id432135">WINS Lookup</a>, <a class="indexterm" href="DNSDHCP.html#id454326">Example Configuration</a></dt><dt>wins, <a class="indexterm" href="integrate-ms-networks.html#id431397">/etc/nsswitch.conf</a></dt><dt>WINS Configuration, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>WINS lookup, <a class="indexterm" href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></dt><dt>WINS replication, <a class="indexterm" href="NetworkBrowsing.html#id354117">WINS Replication</a>, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>WINS Server, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a></dt><dt>WINS server, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a>, <a class="indexterm" href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a>, <a class="indexterm" href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></dt><dt>WINS server address, <a class="indexterm" href="NetworkBrowsing.html#id351491">How Browsing Functions</a></dt><dt>WINS server settings, <a class="indexterm" href="ClientConfig.html#id347292">MS Windows Me</a></dt><dt>WINS servers, <a class="indexterm" href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></dt><dt>WINS service, <a class="indexterm" href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></dt><dt>WINS Support, <a class="indexterm" href="NetworkBrowsing.html#id349988">What Is Browsing?</a></dt><dt>wins.dat, <a class="indexterm" href="NetworkBrowsing.html#id354166">Static WINS Entries</a></dt><dt>without Administrator account, <a class="indexterm" href="rights.html#id377883">The Administrator Domain SID</a></dt><dt>without ADS, <a class="indexterm" href="NT4Migration.html#id441422">Objectives</a></dt><dt>work-flow protocol, <a class="indexterm" href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></dt><dt>workgroup, <a class="indexterm" href="ServerType.html#id331998">Server Security (User Level Security)</a>, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a>, <a class="indexterm" href="samba-pdc.html#id335768">The Special Case of Windows 9x/Me</a>, <a class="indexterm" href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a>, <a class="indexterm" href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a>, <a class="indexterm" href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a>, <a class="indexterm" href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a>, <a class="indexterm" href="cfgsmarts.html#id436244">Multiple Server Hosting</a>, <a class="indexterm" href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></dt><dd><dl><dt>membership, <a class="indexterm" href="samba-pdc.html#id334343">Preparing for Domain Control</a></dt></dl></dd><dt>workstations, <a class="indexterm" href="passdb.html#passdbtech">Technical Information</a></dt><dt>world-writable, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>write, <a class="indexterm" href="AccessControls.html#id379121">File and Directory Access Control</a></dt><dt>write access, <a class="indexterm" href="AccessControls.html#id379488">Protecting Directories and Files from Deletion</a></dt><dt>Write caching, <a class="indexterm" href="locking.html#id383412">Opportunistic Locking Overview</a></dt><dt>write changes, <a class="indexterm" href="idmapper.html#id374021">Backup Domain Controller</a></dt><dt>write permission, <a class="indexterm" href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt>writeable, <a class="indexterm" href="VFS.html#fakeperms">fake_perms</a></dt><dt>WYSIWYG, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a></dt></dl></div><div class="indexdiv"><h3>X</h3><dl><dt>X Window - System, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a>, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>X.509 certificates, <a class="indexterm" href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></dt><dt>XFS file system, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>xfsprogs, <a class="indexterm" href="VFS.html#id416266">Shadow Copy Setup</a></dt><dt>xinetd, <a class="indexterm" href="SWAT.html#id443404">Validate SWAT Installation</a>, <a class="indexterm" href="compiling.html#id450196">Starting from inetd.conf</a> (see inetd)</dt><dt>XML, <a class="indexterm" href="ChangeNotes.html#id349400">Passdb Changes</a></dt><dt>XML-based datasets, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>xpp, <a class="indexterm" href="CUPS-printing.html#id411496">Foomatic Database-Generated PPDs</a></dt><dt>Xprint, <a class="indexterm" href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a>, <a class="indexterm" href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></dt><dt>xxxxBSD, <a class="indexterm" href="pam.html#id428296">Features and Benefits</a></dt></dl></div><div class="indexdiv"><h3>Y</h3><dl><dt>yppasswd, <a class="indexterm" href="passdb.html#id359487">The smbpasswd Tool</a></dt></dl></div><div class="indexdiv"><h3>Z</h3><dl><dt>Zero Administration Kit, <a class="indexterm" href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></dt><dt>zero-based broadcast, <a class="indexterm" href="NetworkBrowsing.html#id353161">Note about Broadcast Addresses</a></dt></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="go01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Glossary </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/largefile.html b/docs/htmldocs/Samba3-HOWTO/largefile.html deleted file mode 100644 index d4ed8463ff..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/largefile.html +++ /dev/null @@ -1,55 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 33. Handling Large Directories</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="SambaHA.html" title="Chapter 32. High Availability"><link rel="next" href="cfgsmarts.html" title="Chapter 34. Advanced Configuration Techniques"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 33. Handling Large Directories</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="cfgsmarts.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 33. Handling Large Directories"><div class="titlepage"><div><div><h2 class="title"><a name="largefile"></a>Chapter 33. Handling Large Directories</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">March 5, 2005</p></div></div></div><p> -<a class="indexterm" name="id435750"></a> -<a class="indexterm" name="id435756"></a> -<a class="indexterm" name="id435763"></a> -Samba-3.0.12 and later implements a solution for sites that have experienced performance degradation due to the -problem of using Samba-3 with applications that need large numbers of files (100,000 or more) per directory. -</p><p> -<a class="indexterm" name="id435775"></a> -<a class="indexterm" name="id435782"></a> -The key was fixing the directory handling to read only the current list requested instead of the old -(up to samba-3.0.11) behavior of reading the entire directory into memory before doling out names. -Normally this would have broken OS/2 applications, which have very strange delete semantics, but by -stealing logic from Samba4 (thanks, Tridge), the current code in 3.0.12 handles this correctly. -</p><p> -<a class="indexterm" name="id435796"></a> -<a class="indexterm" name="id435803"></a> -To set up an application that needs large numbers of files per directory in a way that does not -damage performance unduly, follow these steps: -</p><p> -<a class="indexterm" name="id435814"></a> -First, you need to canonicalize all the files in the directory to have one case, upper or lower take your -pick (I chose upper because all my files were already uppercase names). Then set up a new custom share for the -application as follows: -</p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[bigshare]</code></em></td></tr><tr><td><a class="indexterm" name="id435840"></a><em class="parameter"><code>path = /data/manyfilesdir</code></em></td></tr><tr><td><a class="indexterm" name="id435851"></a><em class="parameter"><code>read only = no</code></em></td></tr><tr><td><a class="indexterm" name="id435863"></a><em class="parameter"><code>case sensitive = True</code></em></td></tr><tr><td><a class="indexterm" name="id435874"></a><em class="parameter"><code>default case = upper</code></em></td></tr><tr><td><a class="indexterm" name="id435886"></a><em class="parameter"><code>preserve case = no</code></em></td></tr><tr><td><a class="indexterm" name="id435897"></a><em class="parameter"><code>short preserve case = no</code></em></td></tr></table><p> -</p><p> -<a class="indexterm" name="id435912"></a> -<a class="indexterm" name="id435919"></a> -<a class="indexterm" name="id435926"></a> -Of course, use your own path and settings, but set the case options to match the case of all the files in your -directory. The path should point at the large directory needed for the application any new files created in -there and in any paths under it will be forced by smbd into uppercase, but smbd will no longer have to scan -the directory for names: it knows that if a file does not exist in uppercase, then it doesn't exist at all. -</p><p> -<a class="indexterm" name="id435943"></a> -<a class="indexterm" name="id435949"></a> -<a class="indexterm" name="id435956"></a> -The secret to this is really in the <a class="link" href="smb.conf.5.html#CASESENSITIVE" target="_top">case sensitive = True</a> -line. This tells smbd never to scan for case-insensitive versions of names. So if an application asks for a file -called <code class="filename">FOO</code>, and it cannot be found by a simple stat call, then smbd will return file not -found immediately without scanning the containing directory for a version of a different case. The other -<code class="filename">xxx case xxx</code> lines make this work by forcing a consistent case on all files created by -<span class="application">smbd</span>. -</p><p> -<a class="indexterm" name="id435997"></a> -<a class="indexterm" name="id436004"></a> -<a class="indexterm" name="id436010"></a> -Remember, all files and directories under the <em class="parameter"><code>path</code></em> directory must be in uppercase -with this <code class="filename">smb.conf</code> stanza because <span class="application">smbd</span> will not be able to find lowercase filenames with these settings. Also -note that this is done on a per-share basis, allowing this parameter to be set only for a share servicing an application with -this problematic behavior (using large numbers of entries in a directory) the rest of your <span class="application">smbd</span> shares -don't need to be affected. -</p><p> -This makes smbd much faster when dealing with large directories. My test case has over 100,000 files, and -smbd now deals with this very efficiently. -</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="cfgsmarts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. High Availability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 34. Advanced Configuration Techniques</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/locking.html b/docs/htmldocs/Samba3-HOWTO/locking.html deleted file mode 100644 index cb494cd21c..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/locking.html +++ /dev/null @@ -1,711 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 17. File and Record Locking</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 18. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 17. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 17. File and Record Locking"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 17. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="locking.html#id383088">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="locking.html#id383174">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id383412">Opportunistic Locking Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384264">Samba Oplocks Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id384333">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384716">MS Windows Oplocks and Caching Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id384868">Workstation Service Entries</a></span></dt><dt><span class="sect2"><a href="locking.html#id384888">Server Service Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384944">Persistent Data Corruption</a></span></dt><dt><span class="sect1"><a href="locking.html#id384963">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id385014">locking.tdb Error Messages</a></span></dt><dt><span class="sect2"><a href="locking.html#id385042">Problems Saving Files in MS Office on Windows XP</a></span></dt><dt><span class="sect2"><a href="locking.html#id385065">Long Delays Deleting Files over Network with XP SP1</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id385094">Additional Reading</a></span></dt></dl></div><p> -<a class="indexterm" name="id383078"></a> -One area that causes trouble for many network administrators is locking. -The extent of the problem is readily evident from searches over the Internet. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383088"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id383095"></a> -Samba provides all the same locking semantics that MS Windows clients expect -and that MS Windows NT4/200x servers also provide. -</p><p> -<a class="indexterm" name="id383106"></a> -The term <span class="emphasis"><em>locking</em></span> has exceptionally broad meaning and covers -a range of functions that are all categorized under this one term. -</p><p> -<a class="indexterm" name="id383121"></a> -<a class="indexterm" name="id383128"></a> -<a class="indexterm" name="id383135"></a> -Opportunistic locking is a desirable feature when it can enhance the -perceived performance of applications on a networked client. However, the -opportunistic locking protocol is not robust and therefore can -encounter problems when invoked beyond a simplistic configuration or -on extended slow or faulty networks. In these cases, operating -system management of opportunistic locking and/or recovering from -repetitive errors can offset the perceived performance advantage that -it is intended to provide. -</p><p> -<a class="indexterm" name="id383149"></a> -The MS Windows network administrator needs to be aware that file and record -locking semantics (behavior) can be controlled either in Samba or by way of registry -settings on the MS Windows client. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id383163"></a> -Sometimes it is necessary to disable locking control settings on the Samba -server as well as on each MS Windows client! -</p></div></div><div class="sect1" title="Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id383174"></a>Discussion</h2></div></div></div><p> -<a class="indexterm" name="id383182"></a> -<a class="indexterm" name="id383189"></a> -There are two types of locking that need to be performed by an SMB server. -The first is <span class="emphasis"><em>record locking</em></span> that allows a client to lock -a range of bytes in an open file. The second is the <span class="emphasis"><em>deny modes</em></span> -that are specified when a file is open. -</p><p> -<a class="indexterm" name="id383207"></a> -<a class="indexterm" name="id383214"></a> -<a class="indexterm" name="id383221"></a> -<a class="indexterm" name="id383228"></a> -<a class="indexterm" name="id383234"></a> -Record locking semantics under UNIX are very different from record locking under -Windows. Versions of Samba before 2.2 have tried to use the native fcntl() UNIX -system call to implement proper record locking between different Samba clients. -This cannot be fully correct for several reasons. The simplest is -that a Windows client is allowed to lock a byte range up to 2^32 or 2^64, -depending on the client OS. The UNIX locking only supports byte ranges up to 2^31. -So it is not possible to correctly satisfy a lock request above 2^31. There are -many more differences, too many to be listed here. -</p><p> -<a class="indexterm" name="id383249"></a> -<a class="indexterm" name="id383256"></a> -Samba 2.2 and above implement record locking completely independently of the -underlying UNIX system. If a byte-range lock that the client requests happens -to fall into the range of 0 to 2^31, Samba hands this request down to the UNIX system. -No other locks can be seen by UNIX, anyway. -</p><p> -<a class="indexterm" name="id383269"></a> -<a class="indexterm" name="id383276"></a> -Strictly speaking, an SMB server should check for locks before every read and write call on -a file. Unfortunately, with the way fcntl() works, this can be slow and may overstress -the <code class="literal">rpc.lockd</code>. This is almost always unnecessary because clients are -independently supposed to make locking calls before reads and writes if locking is -important to them. By default, Samba only makes locking calls when explicitly asked -to by a client, but if you set <a class="link" href="smb.conf.5.html#STRICTLOCKING" target="_top">strict locking = yes</a>, it -will make lock checking calls on <span class="emphasis"><em>every</em></span> read and write call. -</p><p> -<a class="indexterm" name="id383312"></a> -You can also disable byte-range locking completely by using -<a class="link" href="smb.conf.5.html#LOCKING" target="_top">locking = no</a>. -This is useful for those shares that do not support locking or do not need it -(such as CD-ROMs). In this case, Samba fakes the return codes of locking calls to -tell clients that everything is okay. -</p><p> -<a class="indexterm" name="id383336"></a> -<a class="indexterm" name="id383342"></a> -<a class="indexterm" name="id383349"></a> -<a class="indexterm" name="id383356"></a> -<a class="indexterm" name="id383363"></a> -<a class="indexterm" name="id383370"></a> -<a class="indexterm" name="id383376"></a> -The second class of locking is the <span class="emphasis"><em>deny modes</em></span>. These -are set by an application when it opens a file to determine what types of -access should be allowed simultaneously with its open. A client may ask for -<code class="constant">DENY_NONE</code>, <code class="constant">DENY_READ</code>, -<code class="constant">DENY_WRITE</code>, or <code class="constant">DENY_ALL</code>. There are also special compatibility -modes called <code class="constant">DENY_FCB</code> and <code class="constant">DENY_DOS</code>. -</p><div class="sect2" title="Opportunistic Locking Overview"><div class="titlepage"><div><div><h3 class="title"><a name="id383412"></a>Opportunistic Locking Overview</h3></div></div></div><p> -<a class="indexterm" name="id383420"></a> -<a class="indexterm" name="id383427"></a> -<a class="indexterm" name="id383433"></a> -Opportunistic locking (oplocks) is invoked by the Windows file system -(as opposed to an API) via registry entries (on the server and the client) -for the purpose of enhancing network performance when accessing a file -residing on a server. Performance is enhanced by caching the file -locally on the client that allows the following: -</p><div class="variablelist"><dl><dt><span class="term">Read-ahead:</span></dt><dd><p> -<a class="indexterm" name="id383454"></a> - The client reads the local copy of the file, eliminating network latency. - </p></dd><dt><span class="term">Write caching:</span></dt><dd><p> -<a class="indexterm" name="id383471"></a> - The client writes to the local copy of the file, eliminating network latency. - </p></dd><dt><span class="term">Lock caching:</span></dt><dd><p> -<a class="indexterm" name="id383488"></a> - The client caches application locks locally, eliminating network latency. - </p></dd></dl></div><p> -<a class="indexterm" name="id383501"></a> -<a class="indexterm" name="id383508"></a> -<a class="indexterm" name="id383515"></a> -The performance enhancement of oplocks is due to the opportunity of -exclusive access to the file even if it is opened with deny-none -because Windows monitors the file's status for concurrent access from -other processes. -</p><div class="variablelist" title="Windows Defines Four Kinds of Oplocks:"><p class="title"><b>Windows Defines Four Kinds of Oplocks:</b></p><dl><dt><span class="term">Level1 Oplock</span></dt><dd><p> -<a class="indexterm" name="id383543"></a> -<a class="indexterm" name="id383550"></a> -<a class="indexterm" name="id383557"></a> -<a class="indexterm" name="id383564"></a> - The redirector sees that the file was opened with deny - none (allowing concurrent access), verifies that no - other process is accessing the file, checks that - oplocks are enabled, then grants deny-all/read-write/exclusive - access to the file. The client now performs - operations on the cached local file. - </p><p> -<a class="indexterm" name="id383576"></a> -<a class="indexterm" name="id383583"></a> -<a class="indexterm" name="id383590"></a> -<a class="indexterm" name="id383597"></a> - If a second process attempts to open the file, the open - is deferred while the redirector "breaks" the original - oplock. The oplock break signals the caching client to - write the local file back to the server, flush the - local locks, and discard read-ahead data. The break is - then complete, the deferred open is granted, and the - multiple processes can enjoy concurrent file access as - dictated by mandatory or byte-range locking options. - However, if the original opening process opened the - file with a share mode other than deny-none, then the - second process is granted limited or no access, despite - the oplock break. - </p></dd><dt><span class="term">Level2 Oplock</span></dt><dd><p> -<a class="indexterm" name="id383619"></a> -<a class="indexterm" name="id383626"></a> -<a class="indexterm" name="id383633"></a> - Performs like a Level1 oplock, except caching is only - operative for reads. All other operations are performed - on the server disk copy of the file. - </p></dd><dt><span class="term">Filter Oplock</span></dt><dd><p> -<a class="indexterm" name="id383651"></a> - Does not allow write or delete file access. - </p></dd><dt><span class="term">Batch Oplock</span></dt><dd><p> -<a class="indexterm" name="id383668"></a> - Manipulates file openings and closings and allows caching - of file attributes. - </p></dd></dl></div><p> -<a class="indexterm" name="id383682"></a> -An important detail is that oplocks are invoked by the file system, not -an application API. Therefore, an application can close an oplocked -file, but the file system does not relinquish the oplock. When the -oplock break is issued, the file system then simply closes the file in -preparation for the subsequent open by the second process. -</p><p> -<a class="indexterm" name="id383695"></a> -<a class="indexterm" name="id383701"></a> -<a class="indexterm" name="id383708"></a> -<a class="indexterm" name="id383715"></a> -<span class="emphasis"><em>Opportunistic locking</em></span> is actually an improper name for this feature. -The true benefit of this feature is client-side data caching, and -oplocks is merely a notification mechanism for writing data back to the -networked storage disk. The limitation of oplocks is the -reliability of the mechanism to process an oplock break (notification) -between the server and the caching client. If this exchange is faulty -(usually due to timing out for any number of reasons), then the -client-side caching benefit is negated. -</p><p> -<a class="indexterm" name="id383733"></a> -The actual decision that a user or administrator should consider is -whether it is sensible to share among multiple users data that will -be cached locally on a client. In many cases the answer is no. -Deciding when to cache or not cache data is the real question, and thus -oplocks should be treated as a toggle for client-side -caching. Turn it <span class="quote">“<span class="quote">on</span>”</span> when client-side caching is desirable and -reliable. Turn it <span class="quote">“<span class="quote">off</span>”</span> when client-side caching is redundant, -unreliable, or counterproductive. -</p><p> -<a class="indexterm" name="id383754"></a> -Oplocks is by default set to <span class="quote">“<span class="quote">on</span>”</span> by Samba on all -configured shares, so careful attention should be given to each case to -determine if the potential benefit is worth the potential for delays. -The following recommendations will help to characterize the environment -where oplocks may be effectively configured. -</p><p> -<a class="indexterm" name="id383770"></a> -<a class="indexterm" name="id383776"></a> -Windows oplocks is a lightweight performance-enhancing -feature. It is not a robust and reliable protocol. Every -implementation of oplocks should be evaluated as a -trade-off between perceived performance and reliability. Reliability -decreases as each successive rule above is not enforced. Consider a -share with oplocks enabled, over a wide-area network, to a client on a -South Pacific atoll, on a high-availability server, serving a -mission-critical multiuser corporate database during a tropical -storm. This configuration will likely encounter problems with oplocks. -</p><p> -<a class="indexterm" name="id383791"></a> -Oplocks can be beneficial to perceived client performance when treated -as a configuration toggle for client-side data caching. If the data -caching is likely to be interrupted, then oplock usage should be -reviewed. Samba enables oplocks by default on all -shares. Careful attention should be given to the client usage of -shared data on the server, the server network reliability, and the -oplocks configuration of each share. -In mission-critical, high-availability environments, data integrity is -often a priority. Complex and expensive configurations are implemented -to ensure that if a client loses connectivity with a file server, a -failover replacement will be available immediately to provide -continuous data availability. -</p><p> -<a class="indexterm" name="id383808"></a> -<a class="indexterm" name="id383814"></a> -Windows client failover behavior is more at risk of application -interruption than other platforms because it is dependent upon an -established TCP transport connection. If the connection is interrupted - as in a file server failover a new session must be established. -It is rare for Windows client applications to be coded to recover -correctly from a transport connection loss; therefore, most applications -will experience some sort of interruption at worst, abort and -require restarting. -</p><p> -<a class="indexterm" name="id383837"></a> -<a class="indexterm" name="id383843"></a> -<a class="indexterm" name="id383850"></a> -If a client session has been caching writes and reads locally due to -oplocks, it is likely that the data will be lost when the -application restarts or recovers from the TCP interrupt. When the TCP -connection drops, the client state is lost. When the file server -recovers, an oplock break is not sent to the client. In this case, the -work from the prior session is lost. Observing this scenario with -oplocks disabled and with the client writing data to the file server -real-time, the failover will provide the data on disk as it -existed at the time of the disconnect. -</p><p> -In mission-critical, high-availability environments, careful attention -should be given to oplocks. Ideally, comprehensive -testing should be done with all affected applications with oplocks -enabled and disabled. -</p><div class="sect3" title="Exclusively Accessed Shares"><div class="titlepage"><div><div><h4 class="title"><a name="id383868"></a>Exclusively Accessed Shares</h4></div></div></div><p> -Oplocks is most effective when it is confined to shares -that are exclusively accessed by a single user, or by only one user at -a time. Because the true value of oplocks is the local -client caching of data, any operation that interrupts the caching -mechanism will cause a delay. -</p><p> -Home directories are the most obvious examples of where the performance -benefit of oplocks can be safely realized. -</p></div><div class="sect3" title="Multiple-Accessed Shares or Files"><div class="titlepage"><div><div><h4 class="title"><a name="id383885"></a>Multiple-Accessed Shares or Files</h4></div></div></div><p> -As each additional user accesses a file in a share with oplocks -enabled, the potential for delays and resulting perceived poor -performance increases. When multiple users are accessing a file on a -share that has oplocks enabled, the management impact of sending and -receiving oplock breaks and the resulting latency while other clients -wait for the caching client to flush data offset the performance gains -of the caching user. -</p><p> -As each additional client attempts to access a file with oplocks set, -the potential performance improvement is negated and eventually results -in a performance bottleneck. -</p></div><div class="sect3" title="UNIX or NFS Client-Accessed Files"><div class="titlepage"><div><div><h4 class="title"><a name="id383903"></a>UNIX or NFS Client-Accessed Files</h4></div></div></div><p> -<a class="indexterm" name="id383911"></a> -<a class="indexterm" name="id383918"></a> -Local UNIX and NFS clients access files without a mandatory -file-locking mechanism. Thus, these client platforms are incapable of -initiating an oplock break request from the server to a Windows client -that has a file cached. Local UNIX or NFS file access can therefore -write to a file that has been cached by a Windows client, which -exposes the file to likely data corruption. -</p><p> -If files are shared between Windows clients and either local UNIX -or NFS users, turn oplocks off. -</p></div><div class="sect3" title="Slow and/or Unreliable Networks"><div class="titlepage"><div><div><h4 class="title"><a name="id383934"></a>Slow and/or Unreliable Networks</h4></div></div></div><p> -<a class="indexterm" name="id383942"></a> -<a class="indexterm" name="id383949"></a> -<a class="indexterm" name="id383955"></a> -The biggest potential performance improvement for oplocks -occurs when the client-side caching of reads and writes delivers the -most differential over sending those reads and writes over the wire. -This is most likely to occur when the network is extremely slow, -congested, or distributed (as in a WAN). However, network latency also -has a high impact on the reliability of the oplock break -mechanism, and thus increases the likelihood of encountering oplock -problems that more than offset the potential perceived performance -gain. Of course, if an oplock break never has to be sent, then this is -the most advantageous scenario in which to utilize oplocks. -</p><p> -If the network is slow, unreliable, or a WAN, then do not configure -oplocks if there is any chance of multiple users -regularly opening the same file. -</p></div><div class="sect3" title="Multiuser Databases"><div class="titlepage"><div><div><h4 class="title"><a name="id383974"></a>Multiuser Databases</h4></div></div></div><p> -<a class="indexterm" name="id383982"></a> -<a class="indexterm" name="id383989"></a> -<a class="indexterm" name="id383996"></a> -Multiuser databases clearly pose a risk due to their very nature they are typically heavily -accessed by numerous users at random intervals. Placing a multiuser database on a share with oplocks enabled -will likely result in a locking management bottleneck on the Samba server. Whether the database application is -developed in-house or a commercially available product, ensure that the share has oplocks disabled. -</p></div><div class="sect3" title="PDM Data Shares"><div class="titlepage"><div><div><h4 class="title"><a name="id384012"></a>PDM Data Shares</h4></div></div></div><p> -<a class="indexterm" name="id384020"></a> -<a class="indexterm" name="id384026"></a> -<a class="indexterm" name="id384032"></a> -<a class="indexterm" name="id384039"></a> -<a class="indexterm" name="id384046"></a> -Process data management (PDM) applications such as IMAN, Enovia, and Clearcase are increasing in usage with -Windows client platforms and therefore with SMB datastores. PDM applications manage multiuser environments for -critical data security and access. The typical PDM environment is usually associated with sophisticated client -design applications that will load data locally as demanded. In addition, the PDM application will usually -monitor the data state of each client. In this case, client-side data caching is best left to the local -application and PDM server to negotiate and maintain. It is appropriate to eliminate the client OS from any -caching tasks, and the server from any oplocks management, by disabling oplocks on the share. -</p></div><div class="sect3" title="Beware of Force User"><div class="titlepage"><div><div><h4 class="title"><a name="id384068"></a>Beware of Force User</h4></div></div></div><p> -<a class="indexterm" name="id384075"></a> -Samba includes an <code class="filename">smb.conf</code> parameter called <a class="link" href="smb.conf.5.html#FORCEUSER" target="_top">force user</a> that changes the user -accessing a share from the incoming user to whatever user is defined by the <code class="filename">smb.conf</code> variable. If oplocks is -enabled on a share, the change in user access causes an oplock break to be sent to the client, even if the -user has not explicitly loaded a file. In cases where the network is slow or unreliable, an oplock break can -become lost without the user even accessing a file. This can cause apparent performance degradation as the -client continually reconnects to overcome the lost oplock break. -</p><p> -Avoid the combination of the following: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="link" href="smb.conf.5.html#FORCEUSER" target="_top">force user</a> in the <code class="filename">smb.conf</code> share configuration. - </p></li><li class="listitem"><p> - Slow or unreliable networks. - </p></li><li class="listitem"><p> - Oplocks enabled. - </p></li></ul></div></div><div class="sect3" title="Advanced Samba Oplocks Parameters"><div class="titlepage"><div><div><h4 class="title"><a name="id384149"></a>Advanced Samba Oplocks Parameters</h4></div></div></div><p> -<a class="indexterm" name="id384157"></a> -<a class="indexterm" name="id384163"></a> -<a class="indexterm" name="id384170"></a> -Samba provides oplock parameters that allow the -administrator to adjust various properties of the oplock mechanism to -account for timing and usage levels. These parameters provide good -versatility for implementing oplocks in environments where they would -likely cause problems. The parameters are -<a class="link" href="smb.conf.5.html#OPLOCKBREAKWAITTIME" target="_top">oplock break wait time</a>, and -<a class="link" href="smb.conf.5.html#OPLOCKCONTENTIONLIMIT" target="_top">oplock contention limit</a>. -</p><p> -<a class="indexterm" name="id384206"></a> -For most users, administrators, and environments, if these parameters -are required, then the better option is simply to turn oplocks off. -The Samba SWAT help text for both parameters reads: <span class="quote">“<span class="quote">Do not change -this parameter unless you have read and understood the Samba oplock code.</span>”</span> -This is good advice. -</p></div><div class="sect3" title="Mission-Critical, High-Availability"><div class="titlepage"><div><div><h4 class="title"><a name="id384220"></a>Mission-Critical, High-Availability</h4></div></div></div><p> -In mission-critical, high-availability environments, data integrity is -often a priority. Complex and expensive configurations are implemented -to ensure that if a client loses connectivity with a file server, a -failover replacement will be available immediately to provide -continuous data availability. -</p><p> -Windows client failover behavior is more at risk of application -interruption than other platforms because it is dependent upon an -established TCP transport connection. If the connection is interrupted - as in a file server failover a new session must be established. -It is rare for Windows client applications to be coded to recover -correctly from a transport connection loss; therefore, most applications -will experience some sort of interruption at worst, abort and -require restarting. -</p><p> -If a client session has been caching writes and reads locally due to -oplocks, it is likely that the data will be lost when the -application restarts or recovers from the TCP interrupt. When the TCP -connection drops, the client state is lost. When the file server -recovers, an oplock break is not sent to the client. In this case, the -work from the prior session is lost. Observing this scenario with -oplocks disabled, if the client was writing data to the file server -real-time, then the failover will provide the data on disk as it -existed at the time of the disconnect. -</p><p> -In mission-critical, high-availability environments, careful attention -should be given to oplocks. Ideally, comprehensive -testing should be done with all affected applications with oplocks -enabled and disabled. -</p></div></div></div><div class="sect1" title="Samba Oplocks Control"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384264"></a>Samba Oplocks Control</h2></div></div></div><p> -Oplocks is a unique Windows file locking feature. It is -not really file locking, but is included in most discussions of Windows -file locking, so is considered a de facto locking feature. -Oplocks is actually part of the Windows client file -caching mechanism. It is not a particularly robust or reliable feature -when implemented on the variety of customized networks that exist in -enterprise computing. -</p><p> -Like Windows, Samba implements oplocks as a server-side -component of the client caching mechanism. Because of the lightweight -nature of the Windows feature design, effective configuration of -oplocks requires a good understanding of its limitations, -and then applying that understanding when configuring data access for -each particular customized network and client usage state. -</p><p> -Oplocks essentially means that the client is allowed to download and cache -a file on its hard drive while making changes; if a second client wants to access the -file, the first client receives a break and must synchronize the file back to the server. -This can give significant performance gains in some cases; some programs insist on -synchronizing the contents of the entire file back to the server for a single change. -</p><p> -Level1 Oplocks (also known as just plain <span class="quote">“<span class="quote">oplocks</span>”</span>) is another term for opportunistic locking. -</p><p> -Level2 Oplocks provides opportunistic locking for a file that will be treated as -<span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or -on files that the client has no initial intention to write to at time of opening the file. -</p><p> -Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with -Samba's oplocked files, although this has provided better integration of MS Windows network -file locking with the underlying OS. SGI IRIX and Linux are the only two OSs that are -oplock-aware at this time. -</p><p> -Unless your system supports kernel oplocks, you should disable oplocks if you are -accessing the same files from both UNIX/Linux and SMB clients. Regardless, oplocks should -always be disabled if you are sharing a database file (e.g., Microsoft Access) between -multiple clients, because any break the first client receives will affect synchronization of -the entire file (not just the single record), which will result in a noticeable performance -impairment and, more likely, problems accessing the database in the first place. Notably, -Microsoft Outlook's personal folders (*.pst) react quite badly to oplocks. If in doubt, -disable oplocks and tune your system from that point. -</p><p> -If client-side caching is desirable and reliable on your network, you will benefit from -turning on oplocks. If your network is slow and/or unreliable, or you are sharing your -files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people -will be accessing the same files frequently, you probably will not benefit from the overhead -of your client sending oplock breaks and will instead want to disable oplocks for the share. -</p><p> -Another factor to consider is the perceived performance of file access. If oplocks provide no -measurable speed benefit on your network, it might not be worth the hassle of dealing with them. -</p><div class="sect2" title="Example Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id384333"></a>Example Configuration</h3></div></div></div><p> -In the following section we examine two distinct aspects of Samba locking controls. -</p><div class="sect3" title="Disabling Oplocks"><div class="titlepage"><div><div><h4 class="title"><a name="id384342"></a>Disabling Oplocks</h4></div></div></div><p> -You can disable oplocks on a per-share basis with the following: -</p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[acctdata]</code></em></td></tr><tr><td><a class="indexterm" name="id384367"></a><em class="parameter"><code>oplocks = False</code></em></td></tr><tr><td><a class="indexterm" name="id384379"></a><em class="parameter"><code>level2 oplocks = False</code></em></td></tr></table><p> -</p><p> -The default oplock type is Level1. Level2 oplocks are enabled on a per-share basis -in the <code class="filename">smb.conf</code> file. -</p><p> -Alternately, you could disable oplocks on a per-file basis within the share: -</p><p> - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id384413"></a><em class="parameter"><code>veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/</code></em></td></tr></table><p> -</p><p> -If you are experiencing problems with oplocks, as apparent from Samba's log entries, -you may want to play it safe and disable oplocks and Level2 oplocks. -</p></div><div class="sect3" title="Disabling Kernel Oplocks"><div class="titlepage"><div><div><h4 class="title"><a name="id384432"></a>Disabling Kernel Oplocks</h4></div></div></div><p> -Kernel oplocks is an <code class="filename">smb.conf</code> parameter that notifies Samba (if -the UNIX kernel has the capability to send a Windows client an oplock -break) when a UNIX process is attempting to open the file that is -cached. This parameter addresses sharing files between UNIX and -Windows with oplocks enabled on the Samba server: the UNIX process -can open the file that is Oplocked (cached) by the Windows client and -the smbd process will not send an oplock break, which exposes the file -to the risk of data corruption. If the UNIX kernel has the ability to -send an oplock break, then the kernel oplocks parameter enables Samba -to send the oplock break. Kernel oplocks are enabled on a per-server -basis in the <code class="filename">smb.conf</code> file. -</p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id384466"></a><em class="parameter"><code>kernel oplocks = yes</code></em></td></tr></table><p> -The default is no. -</p><p> -<span class="emphasis"><em>Veto oplocks</em></span> is an <code class="filename">smb.conf</code> parameter that identifies specific files for -which oplocks are disabled. When a Windows client opens a file that -has been configured for veto oplocks, the client will not be granted -the oplock, and all operations will be executed on the original file on -disk instead of a client-cached file copy. By explicitly identifying -files that are shared with UNIX processes and disabling oplocks for -those files, the server-wide oplock configuration can be enabled to -allow Windows clients to utilize the performance benefit of file -caching without the risk of data corruption. Veto oplocks can be -enabled on a per-share basis, or globally for the entire server, in the -<code class="filename">smb.conf</code> file as shown in <a class="link" href="locking.html#far1" title="Example 17.1. Share with Some Files Oplocked">“Share with Some Files Oplocked”</a>. -</p><p> -</p><div class="example"><a name="far1"></a><p class="title"><b>Example 17.1. Share with Some Files Oplocked</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id384535"></a><em class="parameter"><code>veto oplock files = /filename.htm/*.txt/</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share_name]</code></em></td></tr><tr><td><a class="indexterm" name="id384556"></a><em class="parameter"><code>veto oplock files = /*.exe/filename.ext/</code></em></td></tr></table></div></div><p><br class="example-break"> -</p><p> -<a class="link" href="smb.conf.5.html#OPLOCKBREAKWAITTIME" target="_top">oplock break wait time</a> is an <code class="filename">smb.conf</code> parameter -that adjusts the time interval for Samba to reply to an oplock break request. Samba recommends: -<span class="quote">“<span class="quote">Do not change this parameter unless you have read and understood the Samba oplock code.</span>”</span> -Oplock break wait time can only be configured globally in the <code class="filename">smb.conf</code> file as shown: -</p><p> - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id384608"></a><em class="parameter"><code>oplock break wait time = 0 (default)</code></em></td></tr></table><p> -</p><p> -<span class="emphasis"><em>Oplock break contention limit</em></span> is an <code class="filename">smb.conf</code> parameter that limits the -response of the Samba server to grant an oplock if the configured -number of contending clients reaches the limit specified by the parameter. Samba recommends -<span class="quote">“<span class="quote">Do not change this parameter unless you have read and understood the Samba oplock code.</span>”</span> -Oplock break contention limit can be enabled on a per-share basis, or globally for -the entire server, in the <code class="filename">smb.conf</code> file as shown in <a class="link" href="locking.html#far3" title="Example 17.2. Configuration with Oplock Break Contention Limit">“Configuration with Oplock Break Contention Limit”</a>. -</p><p> -</p><div class="example"><a name="far3"></a><p class="title"><b>Example 17.2. Configuration with Oplock Break Contention Limit</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id384678"></a><em class="parameter"><code>oplock break contention limit = 2 (default)</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[share_name]</code></em></td></tr><tr><td><a class="indexterm" name="id384699"></a><em class="parameter"><code>oplock break contention limit = 2 (default)</code></em></td></tr></table></div></div><p><br class="example-break"> -</p></div></div></div><div class="sect1" title="MS Windows Oplocks and Caching Controls"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384716"></a>MS Windows Oplocks and Caching Controls</h2></div></div></div><p> -There is a known issue when running applications (like Norton Antivirus) on a Windows 2000/ XP -workstation computer that can affect any application attempting to access shared database files -across a network. This is a result of a default setting configured in the Windows 2000/XP -operating system. When a workstation -attempts to access shared data files located on another Windows 2000/XP computer, -the Windows 2000/XP operating system will attempt to increase performance by locking the -files and caching information locally. When this occurs, the application is unable to -properly function, which results in an <span class="quote">“<span class="quote">Access Denied</span>”</span> - error message being displayed during network operations. -</p><p> -All Windows operating systems in the NT family that act as database servers for data files -(meaning that data files are stored there and accessed by other Windows PCs) may need to -have oplocks disabled in order to minimize the risk of data file corruption. -This includes Windows 9x/Me, Windows NT, Windows 200x, and Windows XP. -<sup>[<a name="id384740" href="#ftn.id384740" class="footnote">5</a>]</sup> -</p><p> -If you are using a Windows NT family workstation in place of a server, you must also -disable oplocks on that workstation. For example, if you use a -PC with the Windows NT Workstation operating system instead of Windows NT Server, and you -have data files located on it that are accessed from other Windows PCs, you may need to -disable oplocks on that system. -</p><p> -The major difference is the location in the Windows registry where the values for disabling -oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location -may be used. -</p><p> -You can verify (change or add, if necessary) this registry value using the Windows -Registry Editor. When you change this registry value, you will have to reboot the PC -to ensure that the new setting goes into effect. -</p><p> -The location of the client registry entry for oplocks has changed in -Windows 2000 from the earlier location in Microsoft Windows NT. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks -in earlier versions of Windows. -</p></div><p> -You can also deny the granting of oplocks by changing the following registry entries: -</p><p> -</p><pre class="programlisting"> - HKEY_LOCAL_MACHINE\System\ - CurrentControlSet\Services\MRXSmb\Parameters\ - - OplocksDisabled REG_DWORD 0 or 1 - Default: 0 (not disabled) -</pre><p> -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The OplocksDisabled registry value configures Windows clients to either request or not -request oplocks on a remote file. To disable oplocks, the value of - OplocksDisabled must be set to 1. -</p></div><p> -</p><pre class="programlisting"> - HKEY_LOCAL_MACHINE\System\ - CurrentControlSet\Services\LanmanServer\Parameters - - EnableOplocks REG_DWORD 0 or 1 - Default: 1 (Enabled by Default) - - EnableOpLockForceClose REG_DWORD 0 or 1 - Default: 0 (Disabled by Default) -</pre><p> -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The EnableOplocks value configures Windows-based servers (including Workstations sharing -files) to allow or deny oplocks on local files. -</p></div><p> -To force closure of open oplocks on close or program exit, EnableOpLockForceClose must be set to 1. -</p><p> -An illustration of how Level2 oplocks work follows: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Station 1 opens the file requesting oplock. - </p></li><li class="listitem"><p> - Since no other station has the file open, the server grants station 1 exclusive oplock. - </p></li><li class="listitem"><p> - Station 2 opens the file requesting oplock. - </p></li><li class="listitem"><p> - Since station 1 has not yet written to the file, the server asks station 1 to break - to Level2 oplock. - </p></li><li class="listitem"><p> - Station 1 complies by flushing locally buffered lock information to the server. - </p></li><li class="listitem"><p> - Station 1 informs the server that it has broken to level2 Oplock (alternately, - station 1 could have closed the file). - </p></li><li class="listitem"><p> - The server responds to station 2's open request, granting it Level2 oplock. - Other stations can likewise open the file and obtain Level2 oplock. - </p></li><li class="listitem"><p> - Station 2 (or any station that has the file open) sends a write request SMB. - The server returns the write response. - </p></li><li class="listitem"><p> - The server asks all stations that have the file open to break to none, meaning no - station holds any oplock on the file. Because the workstations can have no cached - writes or locks at this point, they need not respond to the break-to-none advisory; - all they need do is invalidate locally cashed read-ahead data. - </p></li></ul></div><div class="sect2" title="Workstation Service Entries"><div class="titlepage"><div><div><h3 class="title"><a name="id384868"></a>Workstation Service Entries</h3></div></div></div><pre class="programlisting"> - \HKEY_LOCAL_MACHINE\System\ - CurrentControlSet\Services\LanmanWorkstation\Parameters - - UseOpportunisticLocking REG_DWORD 0 or 1 - Default: 1 (true) -</pre><p> -This indicates whether the redirector should use oplocks performance -enhancement. This parameter should be disabled only to isolate problems. -</p></div><div class="sect2" title="Server Service Entries"><div class="titlepage"><div><div><h3 class="title"><a name="id384888"></a>Server Service Entries</h3></div></div></div><pre class="programlisting"> - \HKEY_LOCAL_MACHINE\System\ - CurrentControlSet\Services\LanmanServer\Parameters - - EnableOplocks REG_DWORD 0 or 1 - Default: 1 (true) -</pre><p> -This specifies whether the server allows clients to use oplocks on files. Oplocks are a -significant performance enhancement, but have the potential to cause lost cached -data on some networks, particularly WANs. -</p><pre class="programlisting"> - MinLinkThroughput REG_DWORD 0 to infinite bytes per second - Default: 0 -</pre><p> -This specifies the minimum link throughput allowed by the server before it disables -raw I/O and oplocks for this connection. -</p><pre class="programlisting"> - MaxLinkDelay REG_DWORD 0 to 100,000 seconds - Default: 60 -</pre><p> -This specifies the maximum time allowed for a link delay. If delays exceed this number, -the server disables raw I/O and oplocks for this connection. -</p><pre class="programlisting"> - OplockBreakWait REG_DWORD 10 to 180 seconds - Default: 35 -</pre><p> -This specifies the time that the server waits for a client to respond to an oplock break -request. Smaller values can allow detection of crashed clients more quickly but can -potentially cause loss of cached data. -</p></div></div><div class="sect1" title="Persistent Data Corruption"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384944"></a>Persistent Data Corruption</h2></div></div></div><p> -If you have applied all of the settings discussed in this chapter but data corruption problems -and other symptoms persist, here are some additional things to check out. -</p><p> -We have credible reports from developers that faulty network hardware, such as a single -faulty network card, can cause symptoms similar to read caching and data corruption. -If you see persistent data corruption even after repeated re-indexing, you may have to -rebuild the data files in question. This involves creating a new data file with the -same definition as the file to be rebuilt and transferring the data from the old file -to the new one. There are several known methods for doing this that can be found in -our knowledge base. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384963"></a>Common Errors</h2></div></div></div><p> -In some sites locking problems surface as soon as a server is installed; in other sites -locking problems may not surface for a long time. Almost without exception, when a locking -problem does surface, it will cause embarrassment and potential data corruption. -</p><p> -Over the past few years there have been a number of complaints on the Samba mailing lists -that have claimed that Samba caused data corruption. Three causes have been identified -so far: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Incorrect configuration of oplocks (incompatible with the application - being used). This is a common problem even where MS Windows NT4 or MS Windows - 200x-based servers were in use. It is imperative that the software application vendors' - instructions for configuration of file locking should be followed. If in doubt, - disable oplocks on both the server and the client. Disabling of all forms of file - caching on the MS Windows client may be necessary also. - </p></li><li class="listitem"><p> - Defective network cards, cables, or hubs/switches. This is generally a more - prevalent factor with low-cost networking hardware, although occasionally there - have also been problems with incompatibilities in more up-market hardware. - </p></li><li class="listitem"><p> - There have been some random reports of Samba log files being written over data - files. This has been reported by very few sites (about five in the past 3 years) - and all attempts to reproduce the problem have failed. The Samba Team has been - unable to catch this happening and thus unable to isolate any particular - cause. Considering the millions of systems that use Samba, for the sites that have - been affected by this as well as for the Samba Team, this is a frustrating and - vexing challenge. If you see this type of thing happening, please create a bug - report on Samba <a class="ulink" href="https://bugzilla.samba.org" target="_top">Bugzilla</a> without delay. - Make sure that you give as much information as you possibly can to help isolate the - cause and to allow replication of the problem (an essential step in problem isolation and correction). - </p></li></ul></div><div class="sect2" title="locking.tdb Error Messages"><div class="titlepage"><div><div><h3 class="title"><a name="id385014"></a>locking.tdb Error Messages</h3></div></div></div><p> - <span class="quote">“<span class="quote"> - We are seeing lots of errors in the Samba logs, like: - </span>”</span> -</p><pre class="programlisting"> -tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic - 0x4d6f4b61 at offset=36116 -</pre><p> - - <span class="quote">“<span class="quote"> - What do these mean? - </span>”</span> - </p><p> - This error indicates a corrupted tdb. Stop all instances of smbd, delete locking.tdb, and restart smbd. - </p></div><div class="sect2" title="Problems Saving Files in MS Office on Windows XP"><div class="titlepage"><div><div><h3 class="title"><a name="id385042"></a>Problems Saving Files in MS Office on Windows XP</h3></div></div></div><a class="indexterm" name="id385048"></a><p>This is a bug in Windows XP. More information can be - found in <a class="ulink" href="http://support.microsoft.com/?id=812937" target="_top">Microsoft Knowledge Base article 812937</a></p>. - - </div><div class="sect2" title="Long Delays Deleting Files over Network with XP SP1"><div class="titlepage"><div><div><h3 class="title"><a name="id385065"></a>Long Delays Deleting Files over Network with XP SP1</h3></div></div></div><p><span class="quote">“<span class="quote">It sometimes takes approximately 35 seconds to delete files over the network after XP SP1 has been applied.</span>”</span></p><a class="indexterm" name="id385076"></a><p>This is a bug in Windows XP. More information can be found in <a class="ulink" href="http://support.microsoft.com/?id=811492" target="_top"> - Microsoft Knowledge Base article 811492</a></p>. - </div></div><div class="sect1" title="Additional Reading"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385094"></a>Additional Reading</h2></div></div></div><p> -You may want to check for an updated documentation regarding file and record locking issues on the Microsoft -<a class="ulink" href="http://support.microsoft.com/" target="_top">Support</a> web site. Additionally, search for the word -<code class="literal">locking</code> on the Samba <a class="ulink" href="http://www.samba.org/" target="_top">web</a> site. -</p><p> -Section of the Microsoft MSDN Library on opportunistic locking: -</p><p> -<a class="indexterm" name="id385128"></a> -Microsoft Knowledge Base, <span class="quote">“<span class="quote">Maintaining Transactional Integrity with OPLOCKS</span>”</span>, -Microsoft Corporation, April 1999, <a class="ulink" href="http://support.microsoft.com/?id=224992" target="_top">Microsoft -KB Article 224992</a>. -</p><p> -<a class="indexterm" name="id385151"></a> -Microsoft Knowledge Base, <span class="quote">“<span class="quote">Configuring Opportunistic Locking in Windows 2000</span>”</span>, -Microsoft Corporation, April 2001 <a class="ulink" href="http://support.microsoft.com/?id=296264" target="_top">Microsoft KB Article 296264</a>. -</p><p> -<a class="indexterm" name="id385173"></a> -Microsoft Knowledge Base, <span class="quote">“<span class="quote">PC Ext: Explanation of Opportunistic Locking on Windows NT</span>”</span>, -Microsoft Corporation, April 1995 <a class="ulink" href="http://support.microsoft.com/?id=129202" target="_top">Microsoft -KB Article 129202</a>. -</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id384740" href="#id384740" class="para">5</a>] </sup>Microsoft has documented this in Knowledge Base article 300216.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 16. File, Directory, and Share Access Controls </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 18. Securing Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/migration.html b/docs/htmldocs/Samba3-HOWTO/migration.html deleted file mode 100644 index ee76a00e1a..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/migration.html +++ /dev/null @@ -1 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="cfgsmarts.html" title="Chapter 34. Advanced Configuration Techniques"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="cfgsmarts.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" title="Part IV. Migration and Updating"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Part IV. Migration and Updating</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="upgrading-to-3.0.html">35. Updating and Upgrading Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id438461">Key Update Requirements</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438485">Upgrading from Samba-3.0.x to Samba-3.2.0</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id438669">New Features in Samba-3.x Series</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440069">New Functionality</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NT4Migration.html">36. Migration from NT4 PDC to Samba-3 PDC</a></span></dt><dd><dl><dt><span class="sect1"><a href="NT4Migration.html#id441392">Planning and Getting Started</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id441422">Objectives</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id442286">Steps in Migration Process</a></span></dt></dl></dd><dt><span class="sect1"><a href="NT4Migration.html#id442509">Migration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="NT4Migration.html#id442592">Planning for Success</a></span></dt><dt><span class="sect2"><a href="NT4Migration.html#id442812">Samba-3 Implementation Choices</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SWAT.html">37. SWAT: The Samba Web Administration Tool</a></span></dt><dd><dl><dt><span class="sect1"><a href="SWAT.html#id443273">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SWAT.html#id443386">Guidelines and Technical Tips</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id443404">Validate SWAT Installation</a></span></dt><dt><span class="sect2"><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id443982">Securing SWAT through SSL</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444127">Enabling SWAT Internationalization Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="SWAT.html#id444313">Overview and Quick Tour</a></span></dt><dd><dl><dt><span class="sect2"><a href="SWAT.html#id444324">The SWAT Home Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444377">Global Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444473">Share Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444525">Printers Settings</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444577">The SWAT Wizard</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444633">The Status Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444672">The View Page</a></span></dt><dt><span class="sect2"><a href="SWAT.html#id444690">The Password Change Page</a></span></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="cfgsmarts.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 34. Advanced Configuration Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 35. Updating and Upgrading Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/msdfs.html b/docs/htmldocs/Samba3-HOWTO/msdfs.html deleted file mode 100644 index 44395523e9..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/msdfs.html +++ /dev/null @@ -1,94 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Hosting a Microsoft Distributed File System Tree</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="InterdomainTrusts.html" title="Chapter 19. Interdomain Trust Relationships"><link rel="next" href="classicalprinting.html" title="Chapter 21. Classical Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Hosting a Microsoft Distributed File System Tree</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="InterdomainTrusts.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="classicalprinting.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"><div class="titlepage"><div><div><h2 class="title"><a name="msdfs"></a>Chapter 20. Hosting a Microsoft Distributed File System Tree</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Shirish</span> <span class="surname">Kalele</span></h3><div class="affiliation"><span class="orgname">Samba Team & Veritas Software<br></span><div class="address"><p><br> - <code class="email"><<a class="email" href="mailto:samba@samba.org">samba@samba.org</a>></code><br> - </p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">12 Jul 2000</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="msdfs.html#id388393">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="msdfs.html#id388783">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="msdfs.html#id388812">MSDFS UNIX Path Is Case-Critical</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388393"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id388401"></a> -<a class="indexterm" name="id388410"></a> -<a class="indexterm" name="id388417"></a> -<a class="indexterm" name="id388424"></a> -<a class="indexterm" name="id388430"></a> - The distributed file system (DFS) provides a means of separating the logical - view of files and directories that users see from the actual physical locations - of these resources on the network. It allows for higher availability, smoother - storage expansion, load balancing, and so on. - </p><p> -<a class="indexterm" name="id388443"></a> -<a class="indexterm" name="id388450"></a> -<a class="indexterm" name="id388456"></a> - For information about DFS, refer to the <a class="ulink" href="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" target="_top">Microsoft - documentation</a>. This document explains how to host a DFS tree on a UNIX machine (for DFS-aware clients - to browse) using Samba. - </p><p> -<a class="indexterm" name="id388474"></a> -<a class="indexterm" name="id388481"></a> -<a class="indexterm" name="id388488"></a> -<a class="indexterm" name="id388495"></a> - A Samba server can be made a DFS server by setting the global Boolean <a class="link" href="smb.conf.5.html#HOSTMSDFS" target="_top">host msdfs</a> - parameter in the <code class="filename">smb.conf</code> file. You designate a share as a DFS root using the share-level Boolean - <a class="link" href="smb.conf.5.html#MSDFSROOT" target="_top">msdfs root</a> parameter. A DFS root directory on Samba hosts DFS links in the form of - symbolic links that point to other servers. For example, a symbolic link - <code class="filename">junction->msdfs:storage1\share1</code> in the share directory acts as the DFS junction. When - DFS-aware clients attempt to access the junction link, they are redirected to the storage location (in this - case, <em class="parameter"><code>\\storage1\share1</code></em>). - </p><p> -<a class="indexterm" name="id388551"></a> -<a class="indexterm" name="id388558"></a> -<a class="indexterm" name="id388564"></a> -<a class="indexterm" name="id388571"></a> - DFS trees on Samba work with all DFS-aware clients ranging from Windows 95 to 200x. - <a class="link" href="msdfs.html#dfscfg" title="Example 20.1. smb.conf with DFS Configured">The following sample configuration</a> shows how to setup a DFS tree on a Samba server. - In the <code class="filename">/export/dfsroot</code> directory, you set up your DFS links to - other servers on the network. -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cd /export/dfsroot</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chown root /export/dfsroot</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>chmod 755 /export/dfsroot</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>ln -s msdfs:storageA\\shareA linka</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>ln -s msdfs:serverB\\share,serverC\\share linkb</code></strong> -</pre><p> -</p><div class="example"><a name="dfscfg"></a><p class="title"><b>Example 20.1. smb.conf with DFS Configured</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id388676"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id388688"></a><em class="parameter"><code>host msdfs = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[dfs]</code></em></td></tr><tr><td><a class="indexterm" name="id388708"></a><em class="parameter"><code>path = /export/dfsroot</code></em></td></tr><tr><td><a class="indexterm" name="id388720"></a><em class="parameter"><code>msdfs root = yes</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id388734"></a> -<a class="indexterm" name="id388741"></a> -<a class="indexterm" name="id388748"></a> - You should set up the permissions and ownership of the directory acting as the DFS root so that only - designated users can create, delete, or modify the msdfs links. Also note that symlink names should be all - lowercase. This limitation exists to have Samba avoid trying all the case combinations to get at the link - name. Finally, set up the symbolic links to point to the network shares you want and start Samba. - </p><p> -<a class="indexterm" name="id388761"></a> -<a class="indexterm" name="id388768"></a> - Users on DFS-aware clients can now browse the DFS tree on the Samba server at - <code class="constant">\\samba\dfs</code>. Accessing links linka or linkb (which appear as directories to the client) - takes users directly to the appropriate shares on the network. - </p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388783"></a>Common Errors</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Windows clients need to be rebooted - if a previously mounted non-DFS share is made a DFS - root, or vice versa. A better way is to introduce a - new share and make it the DFS root.</p></li><li class="listitem"><p>Currently, there's a restriction that msdfs - symlink names should all be lowercase.</p></li><li class="listitem"><p>For security purposes, the directory - acting as the root of the DFS tree should have ownership - and permissions set so only designated users can - modify the symbolic links in the directory.</p></li></ul></div><div class="sect2" title="MSDFS UNIX Path Is Case-Critical"><div class="titlepage"><div><div><h3 class="title"><a name="id388812"></a>MSDFS UNIX Path Is Case-Critical</h3></div></div></div><p> - A network administrator sent advice to the Samba mailing list - after long sessions trying to determine why DFS was not working. - His advice is worth noting. - </p><p><span class="quote">“<span class="quote"> - I spent some time trying to figure out why my particular - DFS root wasn't working. I noted in the documentation that - the symlink should be in all lowercase. It should be - amended that the entire path to the symlink should all be - in lowercase as well. - </span>”</span></p><p> - <span class="quote">“<span class="quote">For example, I had a share defined as such:</span>”</span> - </p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pub]</code></em></td></tr><tr><td><a class="indexterm" name="id388849"></a><em class="parameter"><code>path = /export/home/Shares/public_share</code></em></td></tr><tr><td><a class="indexterm" name="id388861"></a><em class="parameter"><code>msdfs root = yes</code></em></td></tr></table><p> - <span class="quote">“<span class="quote">and I could not make my Windows 9x/Me (with the dfs client installed) follow this symlink:</span>”</span> - </p><pre class="screen"> - damage1 -> msdfs:damage\test-share - </pre><p> - </p><p> - <span class="quote">“<span class="quote">Running a debug level of 10 reveals:</span>”</span> - </p><pre class="programlisting"> - [2003/08/20 11:40:33, 5] msdfs/msdfs.c:is_msdfs_link(176) - is_msdfs_link: /export/home/shares/public_share/* does not exist. - </pre><p> - <span class="quote">“<span class="quote">Curious. So I changed the directory name from <code class="constant">.../Shares/...</code> to - <code class="constant">.../shares/...</code> (along with my service definition) and it worked!</span>”</span> - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="InterdomainTrusts.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="classicalprinting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 19. Interdomain Trust Relationships </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 21. Classical Printing Support</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/optional.html b/docs/htmldocs/Samba3-HOWTO/optional.html deleted file mode 100644 index 60ec9cc1b5..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/optional.html +++ /dev/null @@ -1,7 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part III. Advanced Configuration</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="ClientConfig.html" title="Chapter 8. MS Windows Network Configuration Guide"><link rel="next" href="ChangeNotes.html" title="Chapter 9. Important and Critical Change Notes for the Samba 3.x Series"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part III. Advanced Configuration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ClientConfig.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ChangeNotes.html">Next</a></td></tr></table><hr></div><div class="part" title="Part III. Advanced Configuration"><div class="titlepage"><div><div><h1 class="title"><a name="optional"></a>Part III. Advanced Configuration</h1></div></div></div><div class="partintro" title="Valuable Nuts and Bolts Information"><div><div><div><h1 class="title"><a name="id348852"></a>Valuable Nuts and Bolts Information</h1></div></div></div><p> -Samba has several features that you might want or might not want to use. -The chapters in this part each cover specific Samba features. -</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="ChangeNotes.html">9. Important and Critical Change Notes for the Samba 3.x Series</a></span></dt><dd><dl><dt><span class="sect1"><a href="ChangeNotes.html#id348938">Important Samba-3.2.x Change Notes</a></span></dt><dt><span class="sect1"><a href="ChangeNotes.html#id348949">Important Samba-3.0.x Change Notes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ChangeNotes.html#id348997">User and Group Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349287">Essential Group Mappings</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349400">Passdb Changes</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349457">Group Mapping Changes in Samba-3.0.23</a></span></dt><dt><span class="sect2"><a href="ChangeNotes.html#id349573">LDAP Changes in Samba-3.0.23</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetworkBrowsing.html">10. Network Browsing</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetworkBrowsing.html#id349822">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#id349988">What Is Browsing?</a></span></dt><dt><span class="sect1"><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id350405">NetBIOS over TCP/IP</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id350990">TCP/IP without NetBIOS</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id351491">How Browsing Functions</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#DMB">Configuring Workgroup Browsing</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id352366">Domain Browsing Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id352942">Making Samba the Domain Master</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353161">Note about Broadcast Addresses</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353180">Multiple Interfaces</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353357">Use of the Remote Announce Parameter</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id353486">Use of the Remote Browse Sync Parameter</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id353573">WINS: The Windows Internetworking Name Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id353824">WINS Server Configuration</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354117">WINS Replication</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354166">Static WINS Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id354384">Helpful Hints</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id354394">Windows Networking Protocols</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354520">Name Resolution Order</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id354713">Technical Overview of Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id354790">Browsing Support in Samba</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id354972">Problem Resolution</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id355210">Cross-Subnet Browsing</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetworkBrowsing.html#id356151">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetworkBrowsing.html#id356175">Flushing the Samba NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356240">Server Resources Cannot Be Listed</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356285">I Get an "<span class="errorname">Unable to browse the network</span>" Error</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356329">Browsing of Shares and Directories is Very Slow</a></span></dt><dt><span class="sect2"><a href="NetworkBrowsing.html#id356510">Invalid Cached Share References Affects Network Browsing</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="passdb.html">11. Account Information Databases</a></span></dt><dd><dl><dt><span class="sect1"><a href="passdb.html#id356961">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id357165">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id357700">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id358700">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359487">The <code class="literal">smbpasswd</code> Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The <code class="literal">pdbedit</code> Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id361852">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id361898">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id362220">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id362365">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id364701">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id364707">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364741">Configuration of <em class="parameter"><code>auth methods</code></em></a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="groupmapping.html">12. Group Mapping: MS Windows and UNIX</a></span></dt><dd><dl><dt><span class="sect1"><a href="groupmapping.html#id364981">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="groupmapping.html#id365375">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id365690">Warning: User Private Group Problems</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id365742">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id366270">Important Administrative Information</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id366491">Default Users, Groups, and Relative Identifiers</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367100">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id367172">Configuration Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367182">Sample <code class="filename">smb.conf</code> Add Group Script</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367342">Script to Configure Group Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id367456">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id367467">Adding Groups Fails</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id367547">Adding Domain Users to the Workstation Power Users Group</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="NetCommand.html">13. Remote and Local Management: The Net Command</a></span></dt><dd><dl><dt><span class="sect1"><a href="NetCommand.html#id367921">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id368198">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id368272">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id368421">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id369648">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369843">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369887">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id369950">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id370027">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id370337">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id370349">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id370687">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id370896">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id371098">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id371140">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371309">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371336">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id371872">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id372088">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372105">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372165">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372268">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id372285">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id372323">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id372354">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></dd><dt><span class="chapter"><a href="idmapper.html">14. Identity Mapping (IDMAP)</a></span></dt><dd><dl><dt><span class="sect1"><a href="idmapper.html#id372830">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id372854">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id372912">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id373803">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id374021">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id374087">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id374148">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id374842">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375401">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id375947">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="rights.html">15. User Rights and Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="rights.html#id376570">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id376833">Using the <span class="quote">“<span class="quote">net rpc rights</span>”</span> Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id377149">Description of Privileges</a></span></dt><dt><span class="sect2"><a href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id377883">The Administrator Domain SID</a></span></dt><dt><span class="sect1"><a href="rights.html#id378048">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AccessControls.html">16. File, Directory, and Share Access Controls</a></span></dt><dd><dl><dt><span class="sect1"><a href="AccessControls.html#id378519">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AccessControls.html#id378687">File System Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id378699">MS Windows NTFS Comparison with UNIX File Systems</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379000">Managing Directories</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id379121">File and Directory Access Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id379717">Share Definition Access Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id379748">User- and Group-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380091">File and Directory Permissions-Based Controls</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id380402">Miscellaneous Controls</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id380718">Access Controls on Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id380854">Share Permissions Management</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id381176">MS Windows Access Control Lists and UNIX Interoperability</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id381182">Managing UNIX Permissions Using NT Security Dialogs</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381222">Viewing File Security on a Samba Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381286">Viewing File Ownership</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381416">Viewing File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381607">Modifying File or Directory Permissions</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id381747">Interaction with the Standard Samba <span class="quote">“<span class="quote">create mask</span>”</span> Parameters</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382083">Interaction with the Standard Samba File Attribute Mapping</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382146">Windows NT/200X ACLs and POSIX ACLs Limitations</a></span></dt></dl></dd><dt><span class="sect1"><a href="AccessControls.html#id382508">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="AccessControls.html#id382518">Users Cannot Write to a Public Share</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382826">File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</a></span></dt><dt><span class="sect2"><a href="AccessControls.html#id382869">MS Word with Samba Changes Owner of File</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="locking.html">17. File and Record Locking</a></span></dt><dd><dl><dt><span class="sect1"><a href="locking.html#id383088">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="locking.html#id383174">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id383412">Opportunistic Locking Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384264">Samba Oplocks Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id384333">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384716">MS Windows Oplocks and Caching Controls</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id384868">Workstation Service Entries</a></span></dt><dt><span class="sect2"><a href="locking.html#id384888">Server Service Entries</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id384944">Persistent Data Corruption</a></span></dt><dt><span class="sect1"><a href="locking.html#id384963">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="locking.html#id385014">locking.tdb Error Messages</a></span></dt><dt><span class="sect2"><a href="locking.html#id385042">Problems Saving Files in MS Office on Windows XP</a></span></dt><dt><span class="sect2"><a href="locking.html#id385065">Long Delays Deleting Files over Network with XP SP1</a></span></dt></dl></dd><dt><span class="sect1"><a href="locking.html#id385094">Additional Reading</a></span></dt></dl></dd><dt><span class="chapter"><a href="securing-samba.html">18. Securing Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="securing-samba.html#id385260">Introduction</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id385353">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id385488">Technical Discussion of Protective Measures and Issues</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id385501">Using Host-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id385646">User-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id385704">Using Interface Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#firewallports">Using a Firewall</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386164">NTLMv2 Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="securing-samba.html#id386212">Upgrading Samba</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id386253">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id386268">Smbclient Works on Localhost, but the Network Is Dead</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="InterdomainTrusts.html">19. Interdomain Trust Relationships</a></span></dt><dd><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id386823">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id387144">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388180">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id388191">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id388228">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="msdfs.html">20. Hosting a Microsoft Distributed File System Tree</a></span></dt><dd><dl><dt><span class="sect1"><a href="msdfs.html#id388393">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="msdfs.html#id388783">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="msdfs.html#id388812">MSDFS UNIX Path Is Case-Critical</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="classicalprinting.html">21. Classical Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="classicalprinting.html#id389000">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id389202">Technical Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id389339">Client to Samba Print Job Processing</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id389393">Printing-Related Configuration Parameters</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id389487">Simple Print Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id389756">Verifying Configuration with <code class="literal">testparm</code></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id389939">Rapid Configuration Validation</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id390291">Extended Printing Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id390731">Detailed Explanation Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#cups-msrpc">Printing Developments Since Samba-2.2</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id393254">Point'n'Print Client Drivers on Samba Servers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393408">The Obsoleted [printer$] Section</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393519">Creating the [print$] Share</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id393726">[print$] Stanza Parameters</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id394019">The [print$] Share Directory</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id394148">Installing Drivers into [print$]</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id394232">Add Printer Wizard Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#inst-rpc">Installing Print Drivers Using <code class="literal">rpcclient</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id395921">Client Driver Installation Procedure</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id395936">First Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#prt-modeset">Setting Device Modes on New Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id396442">Additional Client Driver Installation</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id396553">Always Make First Client Connection as root or <span class="quote">“<span class="quote">printer admin</span>”</span></a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id396711">Other Gotchas</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id396728">Setting Default Print Options for Client Drivers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397064">Supporting Large Numbers of Printers</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397300">Adding New Printers with the Windows NT APW</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397538">Error Message: <span class="quote">“<span class="quote">Cannot connect under a different Name</span>”</span></a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397636">Take Care When Assembling Driver Files</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397860">Samba and Printer Ports</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id397959">Avoiding Common Client Driver Misconfiguration</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id397992">The Imprints Toolset</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398030">What Is Imprints?</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398060">Creating Printer Driver Packages</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398072">The Imprints Server</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398086">The Installation Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="classicalprinting.html#id398202">Adding Network Printers without User Interaction</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398444">The <code class="literal">addprinter</code> Command</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398477">Migration of Classical Printing to Samba</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398608">Publishing Printer Information in Active Directory or LDAP</a></span></dt><dt><span class="sect1"><a href="classicalprinting.html#id398635">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="classicalprinting.html#id398641">I Give My Root Password but I Do Not Get Access</a></span></dt><dt><span class="sect2"><a href="classicalprinting.html#id398678">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="CUPS-printing.html">22. CUPS Printing Support</a></span></dt><dd><dl><dt><span class="sect1"><a href="CUPS-printing.html#id398810">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id398815">Features and Benefits</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id398866">Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id398976">Basic CUPS Support Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id399084">Linking smbd with libcups.so</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399310">Simple <code class="filename">smb.conf</code> Settings for CUPS</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399534">More Complex CUPS <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id399894">Advanced Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id399907">Central Spooling vs. <span class="quote">“<span class="quote">Peer-to-Peer</span>”</span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id399952">Raw Print Serving: Vendor Drivers on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400166">Installation of Windows Client Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-raw">Explicitly Enable <span class="quote">“<span class="quote">raw</span>”</span> Printing for <span class="emphasis"><em>application/octet-stream</em></span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400430">Driver Upload Methods</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id400541">Advanced Intelligent Printing with PostScript Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#gdipost">GDI on Windows, PostScript on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400715">Windows Drivers, GDI, and EMF</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id400881">UNIX Printfile Conversion and GUI Basics</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401205">Ghostscript: The Software RIP for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401346">PostScript Printer Description (PPD) Specification</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401414">Using Windows-Formatted Vendor PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id401523">CUPS Also Uses PPDs for Non-PostScript Printers</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id401558">The CUPS Filtering Architecture</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id401774">MIME Types and CUPS Filters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402185">MIME Type Conversion Rules</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402381">Filtering Overview</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402529">Prefilters</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402708">pstops</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id402868">pstoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403119">imagetops and imagetoraster</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403199">rasterto [printers specific]</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403411">CUPS Backends</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403719">The Role of <em class="parameter"><code>cupsomatic/foomatic</code></em></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403933">The Complete Picture</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id403945"><code class="filename">mime.convs</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404006"><span class="quote">“<span class="quote">Raw</span>”</span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404106">application/octet-stream Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404367">PostScript Printer Descriptions for Non-PostScript Printers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404631"><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>Native CUPS</em></span> Printing</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id404945">Examples for Filtering Chains</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405347">Sources of CUPS Drivers/PPDs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405456">Printing with Interface Scripts</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id405534">Network Printing (Purely Windows)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id405549">From Windows Clients to an NT Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405607">Driver Execution on the Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405672">Driver Execution on the Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id405771">Network Printing (Windows Clients and UNIX/Samba Print -Servers)</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id405787">From Windows Clients to a CUPS/Samba Print Server</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id405962">Samba Receiving Job-Files and Passing Them to CUPS</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406034">Network PostScript RIP</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406112">PPDs for Non-PS Printers on UNIX</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406149">PPDs for Non-PS Printers on Windows</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406210">Windows Terminal Servers (WTS) as CUPS Clients</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406222">Printer Drivers Running in <span class="quote">“<span class="quote">Kernel Mode</span>”</span> Cause Many -Problems</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406253">Workarounds Impose Heavy Limitations</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406267">CUPS: A <span class="quote">“<span class="quote">Magical Stone</span>”</span>?</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406303">PostScript Drivers with No Major Problems, Even in Kernel -Mode</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id406382">Configuring CUPS for Driver Download</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id406400"><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406488">Prepare Your <code class="filename">smb.conf</code> for <code class="literal">cupsaddsmb</code></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406765">CUPS <span class="quote">“<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</span></a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id406987">Recognizing Different Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407098">Acquiring the Adobe Driver Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407118">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407173">Caveats to Be Considered</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407452">Windows CUPS PostScript Driver Versus Adobe Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407647">Run cupsaddsmb (Quiet Mode)</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407782">Run cupsaddsmb with Verbose Output</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id407885">Understanding cupsaddsmb</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408021">How to Recognize If cupsaddsmb Completed Successfully</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408132">cupsaddsmb with a Samba PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408209">cupsaddsmb Flowchart</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408287">Installing the PostScript Driver on a Client</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#cups-avoidps1">Avoiding Critical PostScript Driver Settings on the Client</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id408496">Installing PostScript Driver Files Manually Using rpcclient</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id408662">A Check of the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408822">Understanding the rpcclient man Page</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id408914">Producing an Example by Querying a Windows Box</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409034">Requirements for adddriver and setdriver to Succeed</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id409245">Manual Driver Installation in 15 Steps</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410123">Troubleshooting Revisited</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410254">The Printing <code class="filename">*.tdb</code> Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410454">Trivial Database Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410516">Binary Format</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410577">Losing <code class="filename">*.tdb</code> Files</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id410623">Using <code class="literal">tdbbackup</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id410734">CUPS Print Drivers from Linuxprinting.org</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id410895">foomatic-rip and Foomatic Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id411599">foomatic-rip and Foomatic PPD Download and Installation</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412022">Page Accounting with CUPS</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412052">Setting Up Quotas</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412102">Correct and Incorrect Accounting</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412135">Adobe and CUPS PostScript Drivers for Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412266">The page_log File Syntax</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412406">Possible Shortcomings</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412465">Future Developments</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412500">Other Accounting Tools</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id412512">Additional Material</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id412700">Autodeletion or Preservation of CUPS Spool Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id412773">CUPS Configuration Settings Explained</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412850">Preconditions</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id412978">Manual Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id413023">Printing from CUPS to Windows-Attached Printers</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id413279">More CUPS Filtering Chains</a></span></dt><dt><span class="sect1"><a href="CUPS-printing.html#id413388">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="CUPS-printing.html#id413394">Windows 9x/Me Client Can't Install Driver</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#root-ask-loop"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Keeps Asking for Root Password in Never-ending Loop</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413464"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> or <span class="quote">“<span class="quote">rpcclient addriver</span>”</span> Emit Error</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413500"><span class="quote">“<span class="quote">cupsaddsmb</span>”</span> Errors</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413571">Client Can't Connect to Samba Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413594">New Account Reconnection from Windows 200x/XP Troubles</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413674">Avoid Being Connected to the Samba Server as the Wrong User</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413721">Upgrading to CUPS Drivers from Adobe Drivers</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413755">Can't Use <span class="quote">“<span class="quote">cupsaddsmb</span>”</span> on Samba Server, Which Is a PDC</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413790">Deleted Windows 200x Printer Driver Is Still Shown</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413821">Windows 200x/XP Local Security Policies</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413852">Administrator Cannot Install Printers for All Local Users</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413888">Print Change, Notify Functions on NT Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413911">Windows XP SP1</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id413953">Print Options for All Users Can't Be Set on Windows 200x/XP</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414222">Most Common Blunders in Driver Settings on Windows Clients</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414274"><code class="literal">cupsaddsmb</code> Does Not Work with Newly Installed Printer</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414320">Permissions on <code class="filename">/var/spool/samba/</code> Get Reset After Each Reboot</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414413">Print Queue Called <span class="quote">“<span class="quote">lp</span>”</span> Mishandles Print Jobs</a></span></dt><dt><span class="sect2"><a href="CUPS-printing.html#id414476">Location of Adobe PostScript Driver Files for <span class="quote">“<span class="quote">cupsaddsmb</span>”</span></a></span></dt></dl></dd><dt><span class="sect1"><a href="CUPS-printing.html#id414527">Overview of the CUPS Printing Processes</a></span></dt></dl></dd><dt><span class="chapter"><a href="VFS.html">23. Stackable VFS modules</a></span></dt><dd><dl><dt><span class="sect1"><a href="VFS.html#id414711">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="VFS.html#id414746">Discussion</a></span></dt><dt><span class="sect1"><a href="VFS.html#id415127">Included Modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id415132">audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415172">default_quota</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415364">extd_audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#fakeperms">fake_perms</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415677">recycle</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416047">netatalk</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416094">shadow_copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="VFS.html#id416927">VFS Modules Available Elsewhere</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id416949">DatabaseFS</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417002">vscan</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417038">vscan-clamav</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="winbind.html">24. Winbind: Use of Domain Accounts</a></span></dt><dd><dl><dt><span class="sect1"><a href="winbind.html#id417272">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id417589">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id417666">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id417805">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id417844">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id417956">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418082">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418126">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418338">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418479">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418546">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id418597">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id418602">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418709">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418852">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id421094">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id421140">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id421173">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id421207">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="AdvancedNetworkManagement.html">25. Advanced Network Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421386">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421408">Remote Server Administration</a></span></dt><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id421545">Remote Desktop Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id421570">Remote Management from NoMachine.Com</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id421909">Remote Management with ThinLinc</a></span></dt></dl></dd><dt><span class="sect1"><a href="AdvancedNetworkManagement.html#id422084">Network Logon Script Magic</a></span></dt><dd><dl><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id422250">Adding Printers without User Intervention</a></span></dt><dt><span class="sect2"><a href="AdvancedNetworkManagement.html#id422290">Limiting Logon Connections</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="PolicyMgmt.html">26. System and Account Policies</a></span></dt><dd><dl><dt><span class="sect1"><a href="PolicyMgmt.html#id422418">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id422512">Creating and Managing System Policies</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id422683">Windows 9x/ME Policies</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id422806">Windows NT4-Style Policy Files</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423012">MS Windows 200x/XP Professional Policies</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id423414">Managing Account/User Policies</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id423619">Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id423630">Samba Editreg Toolset</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423706">Windows NT4/200x</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id423743">Samba PDC</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id423806">System Startup and Logon Processing Overview</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id423947">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id423958">Policy Does Not Work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="ProfileMgmt.html">27. Desktop Profile Management</a></span></dt><dd><dl><dt><span class="sect1"><a href="ProfileMgmt.html#id424037">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id424080">Roaming Profiles</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id424128">Samba Configuration for Profile Handling</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id424698">Windows Client Profile Configuration Information</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id425966">User Profile Hive Cleanup Service</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id425996">Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426086">Profile Migration from Windows NT4/200x Server to Samba</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id426418">Mandatory Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id426546">Creating and Managing Group Profiles</a></span></dt><dt><span class="sect1"><a href="ProfileMgmt.html#id426613">Default Profile for Windows Users</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id426639">MS Windows 9x/Me</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id426778">MS Windows NT4 Workstation</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427303">MS Windows 200x/XP</a></span></dt></dl></dd><dt><span class="sect1"><a href="ProfileMgmt.html#id427765">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ProfileMgmt.html#id427775">Configuring Roaming Profiles for a Few Users or Groups</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427829">Cannot Use Roaming Profiles</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id427978">Changing the Default Profile</a></span></dt><dt><span class="sect2"><a href="ProfileMgmt.html#id428131">Debugging Roaming Profiles and NT4-style Domain Policies</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="pam.html">28. PAM-Based Distributed Authentication</a></span></dt><dd><dl><dt><span class="sect1"><a href="pam.html#id428296">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id428896">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id428947">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id429855">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id430124"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id430196">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id430284">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id430641">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id430651">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id430740">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="integrate-ms-networks.html">29. Integrating MS Windows Networks with Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="integrate-ms-networks.html#id430948">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id430965">Background Information</a></span></dt><dt><span class="sect1"><a href="integrate-ms-networks.html#id431084">Name Resolution in a Pure UNIX/Linux World</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id431155"><code class="filename">/etc/hosts</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431316"><code class="filename">/etc/resolv.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431349"><code class="filename">/etc/host.conf</code></a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431397"><code class="filename">/etc/nsswitch.conf</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id431507">Name Resolution as Used within MS Windows Networking</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id431901">The NetBIOS Name Cache</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id431980">The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432088">HOSTS File</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432113">DNS Lookup</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432135">WINS Lookup</a></span></dt></dl></dd><dt><span class="sect1"><a href="integrate-ms-networks.html#id432266">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="integrate-ms-networks.html#id432277">Pinging Works Only One Way</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432305">Very Slow Network Connections</a></span></dt><dt><span class="sect2"><a href="integrate-ms-networks.html#id432343">Samba Server Name-Change Problem</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="unicode.html">30. Unicode/Charsets</a></span></dt><dd><dl><dt><span class="sect1"><a href="unicode.html#id432528">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432573">What Are Charsets and Unicode?</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432692">Samba and Charsets</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432818">Conversion from Old Names</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432847">Japanese Charsets</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id432968">Basic Parameter Setting</a></span></dt><dt><span class="sect2"><a href="unicode.html#id433545">Individual Implementations</a></span></dt><dt><span class="sect2"><a href="unicode.html#id433658">Migration from Samba-2.2 Series</a></span></dt></dl></dd><dt><span class="sect1"><a href="unicode.html#id433797">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id433803">CP850.so Can't Be Found</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="Backup.html">31. Backup Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="Backup.html#id433904">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="Backup.html#id433944">Discussion of Backup Solutions</a></span></dt><dd><dl><dt><span class="sect2"><a href="Backup.html#id434031">BackupPC</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434193">Rsync</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434353">Amanda</a></span></dt><dt><span class="sect2"><a href="Backup.html#id434397">BOBS: Browseable Online Backup System</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="SambaHA.html">32. High Availability</a></span></dt><dd><dl><dt><span class="sect1"><a href="SambaHA.html#id434489">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="SambaHA.html#id434596">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="SambaHA.html#id434627">The Ultimate Goal</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id434749">Why Is This So Hard?</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435417">A Simple Solution</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435490">High-Availability Server Products</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435618">MS-DFS: The Poor Man's Cluster</a></span></dt><dt><span class="sect2"><a href="SambaHA.html#id435651">Conclusions</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="largefile.html">33. Handling Large Directories</a></span></dt><dt><span class="chapter"><a href="cfgsmarts.html">34. Advanced Configuration Techniques</a></span></dt><dd><dl><dt><span class="sect1"><a href="cfgsmarts.html#id436235">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="cfgsmarts.html#id436244">Multiple Server Hosting</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id436620">Multiple Virtual Server Personalities</a></span></dt><dt><span class="sect2"><a href="cfgsmarts.html#id437590">Multiple Virtual Server Hosting</a></span></dt></dl></dd></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ClientConfig.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ChangeNotes.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. MS Windows Network Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. Important and Critical Change Notes for the Samba 3.x Series</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pam.html b/docs/htmldocs/Samba3-HOWTO/pam.html deleted file mode 100644 index 7a552afef6..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/pam.html +++ /dev/null @@ -1,650 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. PAM-Based Distributed Authentication</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 28. PAM-Based Distributed Authentication"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 28. PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pam.html#id428296">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id428896">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id428947">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id429855">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id430124"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id430196">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id430284">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id430641">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id430651">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id430740">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id428227"></a> -<a class="indexterm" name="id428234"></a> -<a class="indexterm" name="id428241"></a> -<a class="indexterm" name="id428247"></a> -This chapter should help you to deploy Winbind-based authentication on any PAM-enabled -UNIX/Linux system. Winbind can be used to enable user-level application access authentication -from any MS Windows NT domain, MS Windows 200x Active Directory-based -domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access -controls that are appropriate to your Samba configuration. -</p><p> -<a class="indexterm" name="id428261"></a> -<a class="indexterm" name="id428268"></a> -In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management -possibilities and in particular how to deploy tools like <code class="filename">pam_smbpass.so</code> to your advantage. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The use of Winbind requires more than PAM configuration alone. -Please refer to <a class="link" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>, for further information regarding Winbind. -</p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id428296"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id428303"></a> -<a class="indexterm" name="id428310"></a> -<a class="indexterm" name="id428317"></a> -<a class="indexterm" name="id428324"></a> -<a class="indexterm" name="id428333"></a> -<a class="indexterm" name="id428340"></a> -<a class="indexterm" name="id428346"></a> -<a class="indexterm" name="id428353"></a> -A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux, -now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication, -authorization, and resource control services. Prior to the introduction of PAM, a decision -to use an alternative to the system password database (<code class="filename">/etc/passwd</code>) -would require the provision of alternatives for all programs that provide security services. -Such a choice would involve provision of alternatives to programs such as <code class="literal">login</code>, -<code class="literal">passwd</code>, <code class="literal">chown</code>, and so on. -</p><p> -<a class="indexterm" name="id428391"></a> -<a class="indexterm" name="id428397"></a> -<a class="indexterm" name="id428404"></a> -<a class="indexterm" name="id428411"></a> -PAM provides a mechanism that disconnects these security programs from the underlying -authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file, -<code class="filename">/etc/pam.conf</code> (Solaris), or by editing individual control files that are -located in <code class="filename">/etc/pam.d</code>. -</p><p> -<a class="indexterm" name="id428435"></a> -<a class="indexterm" name="id428442"></a> -On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any -authentication backend so long as the appropriate dynamically loadable library modules -are available for it. The backend may be local to the system or may be centralized on a -remote server. -</p><p> -PAM support modules are available for: -</p><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/passwd</code></span></dt><dd><p> -<a class="indexterm" name="id428469"></a> -<a class="indexterm" name="id428476"></a> -<a class="indexterm" name="id428483"></a> -<a class="indexterm" name="id428490"></a> -<a class="indexterm" name="id428496"></a> -<a class="indexterm" name="id428503"></a> - There are several PAM modules that interact with this standard UNIX user database. The most common are called - <code class="filename">pam_unix.so</code>, <code class="filename">pam_unix2.so</code>, <code class="filename">pam_pwdb.so</code> and - <code class="filename">pam_userdb.so</code>. - </p></dd><dt><span class="term">Kerberos</span></dt><dd><p> -<a class="indexterm" name="id428544"></a> -<a class="indexterm" name="id428551"></a> -<a class="indexterm" name="id428558"></a> -<a class="indexterm" name="id428565"></a> -<a class="indexterm" name="id428572"></a> - The <code class="filename">pam_krb5.so</code> module allows the use of any Kerberos-compliant server. - This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially - Microsoft Active Directory (if enabled). - </p></dd><dt><span class="term">LDAP</span></dt><dd><p> -<a class="indexterm" name="id428596"></a> -<a class="indexterm" name="id428602"></a> -<a class="indexterm" name="id428609"></a> -<a class="indexterm" name="id428616"></a> -<a class="indexterm" name="id428623"></a> -<a class="indexterm" name="id428630"></a> - The <code class="filename">pam_ldap.so</code> module allows the use of any LDAP v2- or v3-compatible backend - server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1, - Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory. - </p></dd><dt><span class="term">NetWare Bindery</span></dt><dd><p> -<a class="indexterm" name="id428654"></a> -<a class="indexterm" name="id428661"></a> -<a class="indexterm" name="id428668"></a> -<a class="indexterm" name="id428675"></a> - The <code class="filename">pam_ncp_auth.so</code> module allows authentication off any bindery-enabled - NetWare Core Protocol-based server. - </p></dd><dt><span class="term">SMB Password</span></dt><dd><p> -<a class="indexterm" name="id428699"></a> -<a class="indexterm" name="id428705"></a> -<a class="indexterm" name="id428712"></a> - This module, called <code class="filename">pam_smbpass.so</code>, allows user authentication of - the passdb backend that is configured in the Samba <code class="filename">smb.conf</code> file. - </p></dd><dt><span class="term">SMB Server</span></dt><dd><p> -<a class="indexterm" name="id428742"></a> -<a class="indexterm" name="id428748"></a> - The <code class="filename">pam_smb_auth.so</code> module is the original MS Windows networking authentication - tool. This module has been somewhat outdated by the Winbind module. - </p></dd><dt><span class="term">Winbind</span></dt><dd><p> -<a class="indexterm" name="id428772"></a> -<a class="indexterm" name="id428779"></a> -<a class="indexterm" name="id428786"></a> -<a class="indexterm" name="id428793"></a> - The <code class="filename">pam_winbind.so</code> module allows Samba to obtain authentication from any - MS Windows domain controller. It can just as easily be used to authenticate - users for access to any PAM-enabled application. - </p></dd><dt><span class="term">RADIUS</span></dt><dd><p> -<a class="indexterm" name="id428817"></a> - There is a PAM RADIUS (Remote Access Dial-In User Service) authentication - module. In most cases, administrators need to locate the source code - for this tool and compile and install it themselves. RADIUS protocols are - used by many routers and terminal servers. - </p></dd></dl></div><p> -<a class="indexterm" name="id428834"></a> -<a class="indexterm" name="id428841"></a> -Of the modules listed, Samba provides the <code class="filename">pam_smbpasswd.so</code> and the -<code class="filename">pam_winbind.so</code> modules alone. -</p><p> -<a class="indexterm" name="id428864"></a> -<a class="indexterm" name="id428870"></a> -<a class="indexterm" name="id428877"></a> -<a class="indexterm" name="id428884"></a> -Once configured, these permit a remarkable level of flexibility in the location and use -of distributed Samba domain controllers that can provide wide-area network bandwidth, -efficient authentication services for PAM-capable systems. In effect, this allows the -deployment of centrally managed and maintained distributed authentication from a -single-user account database. -</p></div><div class="sect1" title="Technical Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id428896"></a>Technical Discussion</h2></div></div></div><p> -<a class="indexterm" name="id428904"></a> -<a class="indexterm" name="id428911"></a> -<a class="indexterm" name="id428918"></a> -<a class="indexterm" name="id428924"></a> -PAM is designed to provide system administrators with a great deal of flexibility in -configuration of the privilege-granting applications of their system. The local -configuration of system security controlled by PAM is contained in one of two places: -either the single system file <code class="filename">/etc/pam.conf</code> or the -<code class="filename">/etc/pam.d/</code> directory. -</p><div class="sect2" title="PAM Configuration Syntax"><div class="titlepage"><div><div><h3 class="title"><a name="id428947"></a>PAM Configuration Syntax</h3></div></div></div><p> -<a class="indexterm" name="id428955"></a> -<a class="indexterm" name="id428961"></a> -In this section we discuss the correct syntax of and generic options respected by entries to these files. -PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case -sensitive, since they indicate a file's name and reflect the case dependence of typical file systems. The -case sensitivity of the arguments to any given module is defined for each module in turn. -</p><p> -In addition to the lines described below, there are two special characters provided for the convenience -of the system administrator: comments are preceded by a <span class="quote">“<span class="quote">#</span>”</span> and extend to the next end-of-line; also, -module specification lines may be extended with a <span class="quote">“<span class="quote">\</span>”</span>-escaped newline. -</p><p> -<a class="indexterm" name="id428987"></a> -<a class="indexterm" name="id428994"></a> -If the PAM authentication module (loadable link library file) is located in the -default location, then it is not necessary to specify the path. In the case of -Linux, the default location is <code class="filename">/lib/security</code>. If the module -is located outside the default, then the path must be specified as: -</p><pre class="programlisting"> -auth required /other_path/pam_strange_module.so -</pre><p> -</p><div class="sect3" title="Anatomy of /etc/pam.d Entries"><div class="titlepage"><div><div><h4 class="title"><a name="id429016"></a>Anatomy of <code class="filename">/etc/pam.d</code> Entries</h4></div></div></div><p> -The remaining information in this subsection was taken from the documentation of the Linux-PAM -project. For more information on PAM, see -<a class="ulink" href="http://ftp.kernel.org/pub/linux/libs/pam/" target="_top">the Official Linux-PAM home page</a>. -</p><p> -<a class="indexterm" name="id429041"></a> -A general configuration line of the <code class="filename">/etc/pam.conf</code> file has the following form: -</p><pre class="programlisting"> -service-name module-type control-flag module-path args -</pre><p> -</p><p> -We explain the meaning of each of these tokens. The second (and more recently adopted) -way of configuring Linux-PAM is via the contents of the <code class="filename">/etc/pam.d/</code> directory. -Once we have explained the meaning of the tokens, we describe this method. -</p><div class="variablelist"><dl><dt><span class="term">service-name</span></dt><dd><p> -<a class="indexterm" name="id429082"></a> -<a class="indexterm" name="id429089"></a> -<a class="indexterm" name="id429096"></a> - The name of the service associated with this entry. Frequently, the service-name is the conventional - name of the given application for example, <code class="literal">ftpd</code>, <code class="literal">rlogind</code> and - <code class="literal">su</code>, and so on. - </p><p> - There is a special service-name reserved for defining a default authentication mechanism. It has - the name <em class="parameter"><code>OTHER</code></em> and may be specified in either lower- or uppercase characters. - Note, when there is a module specified for a named service, the <em class="parameter"><code>OTHER</code></em> - entries are ignored. - </p></dd><dt><span class="term">module-type</span></dt><dd><p> - One of (currently) four types of module. The four types are as follows: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id429160"></a> -<a class="indexterm" name="id429166"></a> - <em class="parameter"><code>auth:</code></em> This module type provides two aspects of authenticating the user. - It establishes that the user is who he or she claims to be by instructing the application - to prompt the user for a password or other means of identification. Second, the module can - grant group membership (independently of the <code class="filename">/etc/groups</code> file) - or other privileges through its credential-granting properties. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id429192"></a> -<a class="indexterm" name="id429199"></a> - <em class="parameter"><code>account:</code></em> This module performs non-authentication-based account management. - It is typically used to restrict/permit access to a service based on the time of day, currently - available system resources (maximum number of users), or perhaps the location of the user - login. For example, the <span class="quote">“<span class="quote">root</span>”</span> login may be permitted only on the console. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id429223"></a> - <em class="parameter"><code>session:</code></em> Primarily, this module is associated with doing things that need - to be done for the user before and after he or she can be given service. Such things include logging - information concerning the opening and closing of some data exchange with a user, mounting - directories, and so on. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id429242"></a> - <em class="parameter"><code>password:</code></em> This last module type is required for updating the authentication - token associated with the user. Typically, there is one module for each - <span class="quote">“<span class="quote">challenge/response</span>”</span> authentication <em class="parameter"><code>(auth)</code></em> module type. - </p></li></ul></div></dd><dt><span class="term">control-flag</span></dt><dd><p> - The control-flag is used to indicate how the PAM library will react to the success or failure of the - module it is associated with. Since modules can be stacked (modules of the same type execute in series, - one after another), the control-flags determine the relative importance of each module. The application - is not made aware of the individual success or failure of modules listed in the - <code class="filename">/etc/pam.conf</code> file. Instead, it receives a summary success or fail response from - the Linux-PAM library. The order of execution of these modules is that of the entries in the - <code class="filename">/etc/pam.conf</code> file; earlier entries are executed before later ones. - As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes. - </p><p> -<a class="indexterm" name="id429299"></a> -<a class="indexterm" name="id429306"></a> -<a class="indexterm" name="id429312"></a> -<a class="indexterm" name="id429319"></a> - The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the - severity of concern associated with the success or failure of a specific module. There are four such - keywords: <em class="parameter"><code>required</code></em>, <em class="parameter"><code>requisite</code></em>, - <em class="parameter"><code>sufficient</code></em>, and <em class="parameter"><code>optional</code></em>. - </p><p> - The Linux-PAM library interprets these keywords in the following manner: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <em class="parameter"><code>required:</code></em> This indicates that the success of the module is required for the - module-type facility to succeed. Failure of this module will not be apparent to the user until all - of the remaining modules (of the same module-type) have been executed. - </p></li><li class="listitem"><p> - <em class="parameter"><code>requisite:</code></em> Like required, except that if such a module returns a - failure, control is directly returned to the application. The return value is that associated with - the first required or requisite module to fail. This flag can be used to protect against the - possibility of a user getting the opportunity to enter a password over an unsafe medium. It is - conceivable that such behavior might inform an attacker of valid accounts on a system. This - possibility should be weighed against the not insignificant concerns of exposing a sensitive - password in a hostile environment. - </p></li><li class="listitem"><p> - <em class="parameter"><code>sufficient:</code></em> The success of this module is deemed <em class="parameter"><code>sufficient</code></em> to satisfy - the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no - previous required module has failed, no more <span class="quote">“<span class="quote">stacked</span>”</span> modules of this type are invoked. - (In this case, subsequent required modules are not invoked). A failure of this module is not deemed - as fatal to satisfying the application that this module-type has succeeded. - </p></li><li class="listitem"><p> - <em class="parameter"><code>optional:</code></em> As its name suggests, this control-flag marks the module as not - being critical to the success or failure of the user's application for service. In general, - Linux-PAM ignores such a module when determining if the module stack will succeed or fail. - However, in the absence of any definite successes or failures of previous or subsequent stacked - modules, this module will determine the nature of the response to the application. One example of - this latter case is when the other modules return something like PAM_IGNORE. - </p></li></ul></div><p> - The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control - over how the user is authenticated. This form of the control-flag is delimited with square brackets and - consists of a series of <em class="parameter"><code>value=action</code></em> tokens: - </p><pre class="programlisting"> -[value1=action1 value2=action2 ...] -</pre><p> - Here, <em class="parameter"><code>value1</code></em> is one of the following return values: -</p><pre class="screen"> -<em class="parameter"><code>success; open_err; symbol_err; service_err; system_err; buf_err;</code></em> -<em class="parameter"><code>perm_denied; auth_err; cred_insufficient; authinfo_unavail;</code></em> -<em class="parameter"><code>user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err;</code></em> -<em class="parameter"><code>cred_unavail; cred_expired; cred_err; no_module_data; conv_err;</code></em> -<em class="parameter"><code>authtok_err; authtok_recover_err; authtok_lock_busy;</code></em> -<em class="parameter"><code>authtok_disable_aging; try_again; ignore; abort; authtok_expired;</code></em> -<em class="parameter"><code>module_unknown; bad_item;</code></em> and <em class="parameter"><code>default</code></em>. -</pre><p> -</p><p> - The last of these (<em class="parameter"><code>default</code></em>) can be used to set the action for those return values that are not explicitly defined. - </p><p> - The <em class="parameter"><code>action1</code></em> can be a positive integer or one of the following tokens: - <em class="parameter"><code>ignore</code></em>; <em class="parameter"><code>ok</code></em>; <em class="parameter"><code>done</code></em>; - <em class="parameter"><code>bad</code></em>; <em class="parameter"><code>die</code></em>; and <em class="parameter"><code>reset</code></em>. - A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the - current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated - stack of modules with a number of different paths of execution. Which path is taken can be determined by the - reactions of individual modules. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <em class="parameter"><code>ignore:</code></em> When used with a stack of modules, the module's return status will not - contribute to the return code the application obtains. - </p></li><li class="listitem"><p> - <em class="parameter"><code>bad:</code></em> This action indicates that the return code should be thought of as indicative - of the module failing. If this module is the first in the stack to fail, its status value will be used - for that of the whole stack. - </p></li><li class="listitem"><p> - <em class="parameter"><code>die:</code></em> Equivalent to bad with the side effect of terminating the module stack and - PAM immediately returning to the application. - </p></li><li class="listitem"><p> - <em class="parameter"><code>ok:</code></em> This tells PAM that the administrator thinks this return code should - contribute directly to the return code of the full stack of modules. In other words, if the former - state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override - this value. Note, if the former state of the stack holds some value that is indicative of a module's - failure, this <em class="parameter"><code>ok</code></em> value will not be used to override that value. - </p></li><li class="listitem"><p> - <em class="parameter"><code>done:</code></em> Equivalent to <em class="parameter"><code>ok</code></em> with the side effect of terminating the module stack and - PAM immediately returning to the application. - </p></li><li class="listitem"><p> - <em class="parameter"><code>reset:</code></em> Clears all memory of the state of the module stack and starts again with - the next stacked module. - </p></li></ul></div><p> - Each of the four keywords, <em class="parameter"><code>required</code></em>; <em class="parameter"><code>requisite</code></em>; - <em class="parameter"><code>sufficient</code></em>; and <em class="parameter"><code>optional</code></em>, have an equivalent expression in terms - of the [...] syntax. They are as follows: - </p><p> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <em class="parameter"><code>required</code></em> is equivalent to <em class="parameter"><code>[success=ok new_authtok_reqd=ok ignore=ignore default=bad]</code></em>. - </p></li><li class="listitem"><p> - <em class="parameter"><code>requisite</code></em> is equivalent to <em class="parameter"><code>[success=ok new_authtok_reqd=ok ignore=ignore default=die]</code></em>. - </p></li><li class="listitem"><p> - <em class="parameter"><code>sufficient</code></em> is equivalent to <em class="parameter"><code>[success=done new_authtok_reqd=done default=ignore]</code></em>. - </p></li><li class="listitem"><p> - <em class="parameter"><code>optional</code></em> is equivalent to <em class="parameter"><code>[success=ok new_authtok_reqd=ok default=ignore]</code></em>. - </p></li></ul></div><p> - </p><p> - Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63, - the notion of client plug-in agents was introduced. This makes it possible for PAM to support - machine-machine authentication using the transport protocol inherent to the client/server application. With the - <em class="parameter"><code>[ ... value=action ... ]</code></em> control syntax, it is possible for an application to be configured - to support binary prompts with compliant clients, but to gracefully fail over into an alternative authentication - mode for legacy applications. - </p></dd><dt><span class="term">module-path</span></dt><dd><p> - The pathname of the dynamically loadable object file; the pluggable module itself. If the first character of the - module path is <span class="quote">“<span class="quote">/</span>”</span>, it is assumed to be a complete path. If this is not the case, the given module path is appended - to the default module path: <code class="filename">/lib/security</code> (but see the previous notes). - </p><p> - The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical - Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments - are ignored by a module; however, when encountering an invalid argument, the module is required to write an error - to syslog(3). For a list of generic options, see the next section. - </p><p> - If you wish to include spaces in an argument, you should surround that argument with square brackets. For example: - </p><pre class="programlisting"> -squid auth required pam_mysql.so user=passwd_query passwd=mada \ -db=eminence [query=select user_name from internet_service where \ -user_name=<span class="quote">“<span class="quote">%u</span>”</span> and password=PASSWORD(<span class="quote">“<span class="quote">%p</span>”</span>) and service=<span class="quote">“<span class="quote">web_proxy</span>”</span>] -</pre><p> - When using this convention, you can include <span class="quote">“<span class="quote">[</span>”</span> characters inside the string, and if you wish to have a <span class="quote">“<span class="quote">]</span>”</span> - character inside the string that will survive the argument parsing, you should use <span class="quote">“<span class="quote">\[</span>”</span>. In other words, - </p><pre class="programlisting"> -[..[..\]..] --> ..[..].. -</pre><p> - Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the - side of caution) to make the authentication process fail. A corresponding error is written to the system log files - with a call to syslog(3). - </p></dd></dl></div></div></div><div class="sect2" title="Example System Configurations"><div class="titlepage"><div><div><h3 class="title"><a name="id429855"></a>Example System Configurations</h3></div></div></div><p> -The following is an example <code class="filename">/etc/pam.d/login</code> configuration file. -This example had all options uncommented and is probably not usable -because it stacks many conditions before allowing successful completion -of the login process. Essentially, all conditions can be disabled -by commenting them out, except the calls to <code class="filename">pam_pwdb.so</code>. -</p><div class="sect3" title="PAM: Original Login Config"><div class="titlepage"><div><div><h4 class="title"><a name="id429878"></a>PAM: Original Login Config</h4></div></div></div><p> - </p><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the <span class="quote">“<span class="quote">login</span>”</span> service -# -auth required pam_securetty.so -auth required pam_nologin.so -# auth required pam_dialup.so -# auth optional pam_mail.so -auth required pam_pwdb.so shadow md5 -# account requisite pam_time.so -account required pam_pwdb.so -session required pam_pwdb.so -# session optional pam_lastlog.so -# password required pam_cracklib.so retry=3 -password required pam_pwdb.so shadow md5 -</pre><p> -</p></div><div class="sect3" title="PAM: Login Using pam_smbpass"><div class="titlepage"><div><div><h4 class="title"><a name="id429901"></a>PAM: Login Using <code class="filename">pam_smbpass</code></h4></div></div></div><p> -PAM allows use of replaceable modules. Those available on a sample system include: -</p><p><code class="prompt">$</code><strong class="userinput"><code>/bin/ls /lib/security</code></strong> -</p><pre class="programlisting"> -pam_access.so pam_ftp.so pam_limits.so -pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so -pam_cracklib.so pam_group.so pam_listfile.so -pam_nologin.so pam_rootok.so pam_tally.so -pam_deny.so pam_issue.so pam_mail.so -pam_permit.so pam_securetty.so pam_time.so -pam_dialup.so pam_lastlog.so pam_mkhomedir.so -pam_pwdb.so pam_shells.so pam_unix.so -pam_env.so pam_ldap.so pam_motd.so -pam_radius.so pam_smbpass.so pam_unix_acct.so -pam_wheel.so pam_unix_auth.so pam_unix_passwd.so -pam_userdb.so pam_warn.so pam_unix_session.so -</pre><p> -The following example for the login program replaces the use of -the <code class="filename">pam_pwdb.so</code> module that uses the system -password database (<code class="filename">/etc/passwd</code>, -<code class="filename">/etc/shadow</code>, <code class="filename">/etc/group</code>) with -the module <code class="filename">pam_smbpass.so</code>, which uses the Samba -database containing the Microsoft MD4 encrypted password -hashes. This database is stored either in -<code class="filename">/usr/local/samba/private/smbpasswd</code>, -<code class="filename">/etc/samba/smbpasswd</code> or in -<code class="filename">/etc/samba.d/smbpasswd</code>, depending on the -Samba implementation for your UNIX/Linux system. The -<code class="filename">pam_smbpass.so</code> module is provided by -Samba version 2.2.1 or later. It can be compiled by specifying the -<code class="option">--with-pam_smbpass</code> options when running Samba's -<code class="literal">configure</code> script. For more information -on the <code class="filename">pam_smbpass</code> module, see the documentation -in the <code class="filename">source/pam_smbpass</code> directory of the Samba -source distribution. -</p><p> - </p><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the <span class="quote">“<span class="quote">login</span>”</span> service -# -auth required pam_smbpass.so nodelay -account required pam_smbpass.so nodelay -session required pam_smbpass.so nodelay -password required pam_smbpass.so nodelay -</pre><p> -The following is the PAM configuration file for a particular -Linux system. The default condition uses <code class="filename">pam_pwdb.so</code>. -</p><p> - </p><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the <span class="quote">“<span class="quote">samba</span>”</span> service -# -auth required pam_pwdb.so nullok nodelay shadow audit -account required pam_pwdb.so audit nodelay -session required pam_pwdb.so nodelay -password required pam_pwdb.so shadow md5 -</pre><p> -In the following example, the decision has been made to use the -<code class="literal">smbpasswd</code> database even for basic Samba authentication. Such a -decision could also be made for the <code class="literal">passwd</code> program and would -thus allow the <code class="literal">smbpasswd</code> passwords to be changed using the -<code class="literal">passwd</code> program: -</p><p> - </p><pre class="programlisting"> -#%PAM-1.0 -# The PAM configuration file for the <span class="quote">“<span class="quote">samba</span>”</span> service -# -auth required pam_smbpass.so nodelay -account required pam_pwdb.so audit nodelay -session required pam_pwdb.so nodelay -password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf -</pre><p> -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>PAM allows stacking of authentication mechanisms. It is -also possible to pass information obtained within one PAM module through -to the next module in the PAM stack. Please refer to the documentation for -your particular system implementation for details regarding the specific -capabilities of PAM in this environment. Some Linux implementations also -provide the <code class="filename">pam_stack.so</code> module that allows all -authentication to be configured in a single central file. The -<code class="filename">pam_stack.so</code> method has some devoted followers -on the basis that it allows for easier administration. As with all issues in -life, though, every decision has trade-offs, so you may want to examine the -PAM documentation for further helpful information. -</p></div></div></div><div class="sect2" title="smb.conf PAM Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id430124"></a><code class="filename">smb.conf</code> PAM Configuration</h3></div></div></div><p> -There is an option in <code class="filename">smb.conf</code> called <a class="link" href="smb.conf.5.html#OBEYPAMRESTRICTIONS" target="_top">obey pam restrictions</a>. -The following is from the online help for this option in SWAT: -</p><div class="blockquote"><blockquote class="blockquote"><p> -When Samba is configured to enable PAM support (i.e., <code class="option">--with-pam</code>), this parameter will -control whether or not Samba should obey PAM's account and session management directives. The default behavior -is to use PAM for clear-text authentication only and to ignore any account or session management. Samba always -ignores PAM for authentication in the case of <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords = yes</a>. -The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB -password encryption. -</p><p>Default: <a class="link" href="smb.conf.5.html#OBEYPAMRESTRICTIONS" target="_top">obey pam restrictions = no</a></p></blockquote></div></div><div class="sect2" title="Remote CIFS Authentication Using winbindd.so"><div class="titlepage"><div><div><h3 class="title"><a name="id430196"></a>Remote CIFS Authentication Using <code class="filename">winbindd.so</code></h3></div></div></div><p> -All operating systems depend on the provision of user credentials acceptable to the platform. -UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID). -These are both simple integer numbers that are obtained from a password backend such -as <code class="filename">/etc/passwd</code>. -</p><p> -Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for -the domain when the user or group is created. To convert the Windows NT user or group into -a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This -is one of the jobs that winbind performs. -</p><p> -As winbind users and groups are resolved from a server, user and group IDs are allocated -from a specified range. This is done on a first come, first served basis, although all -existing users and groups will be mapped as soon as a client performs a user or group -enumeration command. The allocated UNIX IDs are stored in a database file under the Samba -lock directory and will be remembered. -</p><p> -The astute administrator will realize from this that the combination of <code class="filename">pam_smbpass.so</code>, -<code class="literal">winbindd</code>, and a distributed <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a> -such as <em class="parameter"><code>ldap</code></em> will allow the establishment of a centrally managed, distributed user/password -database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have -particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) insofar as -the reduction of wide-area network authentication traffic. -</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -The RID to UNIX ID database is the only location where the user and group mappings are -stored by <code class="literal">winbindd</code>. If this file is deleted or corrupted, there is no way for <code class="literal">winbindd</code> -to determine which user and group IDs correspond to Windows NT user and group RIDs. -</p></div></div><div class="sect2" title="Password Synchronization Using pam_smbpass.so"><div class="titlepage"><div><div><h3 class="title"><a name="id430284"></a>Password Synchronization Using <code class="filename">pam_smbpass.so</code></h3></div></div></div><p> -<code class="filename">pam_smbpass</code> is a PAM module that can be used on conforming systems to -keep the <code class="filename">smbpasswd</code> (Samba password) database in sync with the UNIX -password file. PAM is an API supported -under some UNIX operating systems, such as Solaris, HPUX, and Linux, that provides a -generic interface to authentication mechanisms. -</p><p> -This module authenticates a local <code class="filename">smbpasswd</code> user database. If you require -support for authenticating against a remote SMB server, or if you are -concerned about the presence of SUID root binaries on your system, it is -recommended that you use <code class="filename">pam_winbind</code> instead. -</p><p> -Options recognized by this module are shown in <a class="link" href="pam.html#smbpassoptions" title="Table 28.1. Options recognized by pam_smbpass">next table</a>. -</p><div class="table"><a name="smbpassoptions"></a><p class="title"><b>Table 28.1. Options recognized by <em class="parameter"><code>pam_smbpass</code></em></b></p><div class="table-contents"><table summary="Options recognized by pam_smbpass" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">debug</td><td align="justify">Log more debugging info.</td></tr><tr><td align="left">audit</td><td align="justify">Like debug, but also logs unknown usernames.</td></tr><tr><td align="left">use_first_pass</td><td align="justify">Do not prompt the user for passwords; take them from PAM_ items instead.</td></tr><tr><td align="left">try_first_pass</td><td align="justify">Try to get the password from a previous PAM module; fall back to prompting the user.</td></tr><tr><td align="left">use_authtok</td><td align="justify">Like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</td></tr><tr><td align="left">not_set_pass</td><td align="justify">Do not make passwords used by this module available to other modules.</td></tr><tr><td align="left">nodelay</td><td align="justify">dDo not insert ~1-second delays on authentication failure.</td></tr><tr><td align="left">nullok</td><td align="justify">Null passwords are allowed.</td></tr><tr><td align="left">nonull</td><td align="justify">Null passwords are not allowed. Used to override the Samba configuration.</td></tr><tr><td align="left">migrate</td><td align="justify">Only meaningful in an <span class="quote">“<span class="quote">auth</span>”</span> context; used to update smbpasswd file with a password used for successful authentication.</td></tr><tr><td align="left">smbconf=<em class="replaceable"><code>file</code></em></td><td align="justify">Specify an alternate path to the <code class="filename">smb.conf</code> file.</td></tr></tbody></table></div></div><p><br class="table-break"> -</p><p> -The following are examples of the use of <code class="filename">pam_smbpass.so</code> in the format of the Linux -<code class="filename">/etc/pam.d/</code> files structure. Those wishing to implement this -tool on other platforms will need to adapt this appropriately. -</p><div class="sect3" title="Password Synchronization Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id430489"></a>Password Synchronization Configuration</h4></div></div></div><p> -The following is a sample PAM configuration that shows the use of pam_smbpass to make -sure <code class="filename">private/smbpasswd</code> is kept in sync when <code class="filename">/etc/passwd (/etc/shadow)</code> -is changed. It is useful when an expired password might be changed by an -application (such as <code class="literal">ssh</code>). -</p><p> - </p><pre class="programlisting"> -#%PAM-1.0 -# password-sync -# -auth requisite pam_nologin.so -auth required pam_unix.so -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so nullok use_authtok try_first_pass -session required pam_unix.so -</pre></div><div class="sect3" title="Password Migration Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id430529"></a>Password Migration Configuration</h4></div></div></div><p> -The following PAM configuration shows the use of <code class="filename">pam_smbpass</code> to migrate -from plaintext to encrypted passwords for Samba. Unlike other methods, -this can be used for users who have never connected to Samba shares: -password migration takes place when users <code class="literal">ftp</code> in, login using <code class="literal">ssh</code>, pop -their mail, and so on. -</p><p> - </p><pre class="programlisting"> -#%PAM-1.0 -# password-migration -# -auth requisite pam_nologin.so -# pam_smbpass is called IF pam_unix succeeds. -auth requisite pam_unix.so -auth optional pam_smbpass.so migrate -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password optional pam_smbpass.so nullok use_authtok try_first_pass -session required pam_unix.so -</pre></div><div class="sect3" title="Mature Password Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id430570"></a>Mature Password Configuration</h4></div></div></div><p> -The following is a sample PAM configuration for a mature <code class="filename">smbpasswd</code> installation. -<code class="filename">private/smbpasswd</code> is fully populated, and we consider it an error if -the SMB password does not exist or does not match the UNIX password. -</p><p> -</p><pre class="programlisting"> -#%PAM-1.0 -# password-mature -# -auth requisite pam_nologin.so -auth required pam_unix.so -account required pam_unix.so -password requisite pam_cracklib.so retry=3 -password requisite pam_unix.so shadow md5 use_authtok try_first_pass -password required pam_smbpass.so use_authtok use_first_pass -session required pam_unix.so -</pre></div><div class="sect3" title="Kerberos Password Integration Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id430605"></a>Kerberos Password Integration Configuration</h4></div></div></div><p> -The following is a sample PAM configuration that shows <em class="parameter"><code>pam_smbpass</code></em> used together with -<em class="parameter"><code>pam_krb5</code></em>. This could be useful on a Samba PDC that is also a member of -a Kerberos realm. -</p><p> - </p><pre class="programlisting"> -#%PAM-1.0 -# kdc-pdc -# -auth requisite pam_nologin.so -auth requisite pam_krb5.so -auth optional pam_smbpass.so migrate -account required pam_krb5.so -password requisite pam_cracklib.so retry=3 -password optional pam_smbpass.so nullok use_authtok try_first_pass -password required pam_krb5.so use_authtok try_first_pass -session required pam_krb5.so -</pre></div></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id430641"></a>Common Errors</h2></div></div></div><p> -PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from -the Samba mailing list. -</p><div class="sect2" title="pam_winbind Problem"><div class="titlepage"><div><div><h3 class="title"><a name="id430651"></a>pam_winbind Problem</h3></div></div></div><p> - A user reported, <span class="emphasis"><em>I have the following PAM configuration</em></span>: - </p><p> -</p><pre class="programlisting"> -auth required /lib/security/pam_securetty.so -auth sufficient /lib/security/pam_winbind.so -auth sufficient /lib/security/pam_unix.so use_first_pass nullok -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_nologin.so -account required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so -password required /lib/security/pam_stack.so service=system-auth -</pre><p> -</p><p> - <span class="emphasis"><em>When I open a new console with [ctrl][alt][F1], I can't log in with my user <span class="quote">“<span class="quote">pitie.</span>”</span> - I have tried with user <span class="quote">“<span class="quote">scienceu\pitie</span>”</span> also.</em></span> - </p><p> - The problem may lie with the inclusion of <em class="parameter"><code>pam_stack.so - service=system-auth</code></em>. That file often contains a lot of stuff that may - duplicate what you are already doing. Try commenting out the <em class="parameter"><code>pam_stack</code></em> lines - for <em class="parameter"><code>auth</code></em> and <em class="parameter"><code>account</code></em> and see if things work. If they do, look at - <code class="filename">/etc/pam.d/system-auth</code> and copy only what you need from it into your - <code class="filename">/etc/pam.d/login</code> file. Alternatively, if you want all services to use - Winbind, you can put the Winbind-specific stuff in <code class="filename">/etc/pam.d/system-auth</code>. - </p></div><div class="sect2" title="Winbind Is Not Resolving Users and Groups"><div class="titlepage"><div><div><h3 class="title"><a name="id430740"></a>Winbind Is Not Resolving Users and Groups</h3></div></div></div><p> - <span class="quote">“<span class="quote"> - My <code class="filename">smb.conf</code> file is correctly configured. I have specified - <a class="link" href="smb.conf.5.html#IDMAPUID" target="_top">idmap uid = 12000</a> - and <a class="link" href="smb.conf.5.html#IDMAPGID" target="_top">idmap gid = 3000-3500,</a> - and <code class="literal">winbind</code> is running. When I do the following it all works fine. - </span>”</span> - </p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong> -MIDEARTH\maryo -MIDEARTH\jackb -MIDEARTH\ameds -... -MIDEARTH\root - -<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong> -MIDEARTH\Domain Users -MIDEARTH\Domain Admins -MIDEARTH\Domain Guests -... -MIDEARTH\Accounts - -<code class="prompt">root# </code><strong class="userinput"><code>getent passwd</code></strong> -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/bin/bash -... -maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false -</pre><p> - <span class="quote">“<span class="quote"> - But this command fails: - </span>”</span> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>chown maryo a_file</code></strong> -chown: 'maryo': invalid user -</pre><p> - <span class="quote">“<span class="quote">This is driving me nuts! What can be wrong?</span>”</span> - </p><p> - Your system is likely running <code class="literal">nscd</code>, the name service - caching daemon. Shut it down, do not restart it! You will find your problem resolved. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Desktop Profile Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. Integrating MS Windows Networks with Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/passdb.html b/docs/htmldocs/Samba3-HOWTO/passdb.html deleted file mode 100644 index 187df73316..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/passdb.html +++ /dev/null @@ -1,1670 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Account Information Databases</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"><link rel="next" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 11. Account Information Databases"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="passdb.html#id356961">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id356996">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id357165">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id357700">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id358180">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id358700">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id359075">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id359487">The <code class="literal">smbpasswd</code> Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The <code class="literal">pdbedit</code> Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id361852">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id361898">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id361970">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id362220">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id362365">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id364701">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id364707">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id364741">Configuration of <em class="parameter"><code>auth methods</code></em></a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id356776"></a> -<a class="indexterm" name="id356783"></a> -<a class="indexterm" name="id356790"></a> -<a class="indexterm" name="id356796"></a> -Early releases of Samba-3 implemented new capability to work concurrently with multiple account backends. This -capability was removed beginning with release of Samba 3.0.23. Commencing with Samba 3.0.23 it is possible to -work with only one specified passwd backend. -</p><p> -<a class="indexterm" name="id356809"></a> -<a class="indexterm" name="id356815"></a> -<a class="indexterm" name="id356822"></a> -<a class="indexterm" name="id356829"></a> -<a class="indexterm" name="id356836"></a> -<a class="indexterm" name="id356843"></a> -The three passdb backends that are fully maintained (actively supported) by the Samba Team are: -<code class="literal">smbpasswd</code> (being obsoleted), <code class="literal">tdbsam</code> (a tdb-based binary file format), -and <code class="literal">ldapsam</code> (LDAP directory). Of these, only the <code class="literal">ldapsam</code> backend -stores both POSIX (UNIX) and Samba user and group account information in a single repository. The -<code class="literal">smbpasswd</code> and <code class="literal">tdbsam</code> backends store only Samba user accounts. -</p><p> -In a strict sense, there are three supported account storage and access systems. One of these is considered -obsolete (smbpasswd). It is recommended to use the <code class="literal">tdbsam</code> method for all simple systems. Use -<code class="literal">ldapsam</code> for larger and more complex networks. -</p><p> -<a class="indexterm" name="id356908"></a> -<a class="indexterm" name="id356915"></a> -<a class="indexterm" name="id356922"></a> -<a class="indexterm" name="id356928"></a> -<a class="indexterm" name="id356935"></a> -<a class="indexterm" name="id356942"></a> -<a class="indexterm" name="id356949"></a> -In a strict and literal sense, the passdb backends are account storage mechanisms (or methods) alone. The choice -of terminology can be misleading, however we are stuck with this choice of wording. This chapter documents the -nature of the account storage system with a focus on user and trust accounts. Trust accounts have two forms, -machine trust accounts (computer accounts) and interdomain trust accounts. These are all treated as user-like -entities. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id356961"></a>Features and Benefits</h2></div></div></div><p> -Samba-3 provides for complete backward compatibility with Samba-2.2.x functionality -as follows: -<a class="indexterm" name="id356969"></a> -<a class="indexterm" name="id356978"></a> -<a class="indexterm" name="id356988"></a> -</p><div class="sect2" title="Backward Compatibility Account Storage Systems"><div class="titlepage"><div><div><h3 class="title"><a name="id356996"></a>Backward Compatibility Account Storage Systems</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">Plaintext</span></dt><dd><p> -<a class="indexterm" name="id357012"></a> -<a class="indexterm" name="id357019"></a> -<a class="indexterm" name="id357026"></a> -<a class="indexterm" name="id357033"></a> -<a class="indexterm" name="id357040"></a> - This isn't really a backend at all, but is listed here for simplicity. Samba can be configured to pass - plaintext authentication requests to the traditional UNIX/Linux <code class="filename">/etc/passwd</code> and - <code class="filename">/etc/shadow</code>-style subsystems. On systems that have Pluggable Authentication Modules - (PAM) support, all PAM modules are supported. The behavior is just as it was with Samba-2.2.x, and the - protocol limitations imposed by MS Windows clients apply likewise. Please refer to <a class="link" href="passdb.html#passdbtech" title="Technical Information">Technical Information</a>, for more information regarding the limitations of plaintext - password usage. - </p></dd><dt><span class="term">smbpasswd</span></dt><dd><p> -<a class="indexterm" name="id357082"></a> -<a class="indexterm" name="id357089"></a> -<a class="indexterm" name="id357096"></a> -<a class="indexterm" name="id357103"></a> - This option allows continued use of the <code class="filename">smbpasswd</code> - file that maintains a plain ASCII (text) layout that includes the MS Windows - LanMan and NT-encrypted passwords as well as a field that stores some - account information. This form of password backend does not store any of - the MS Windows NT/200x SAM (Security Account Manager) information required to - provide the extended controls that are needed for more comprehensive - interoperation with MS Windows NT4/200x servers. - </p><p> - This backend should be used only for backward compatibility with older - versions of Samba. It may be deprecated in future releases. - </p></dd><dt><span class="term">ldapsam_compat (Samba-2.2 LDAP Compatibility)</span></dt><dd><p> -<a class="indexterm" name="id357136"></a> -<a class="indexterm" name="id357143"></a> -<a class="indexterm" name="id357150"></a> - There is a password backend option that allows continued operation with - an existing OpenLDAP backend that uses the Samba-2.2.x LDAP schema extension. - This option is provided primarily as a migration tool, although there is - no reason to force migration at this time. This tool will eventually - be deprecated. - </p></dd></dl></div></div><div class="sect2" title="New Account Storage Systems"><div class="titlepage"><div><div><h3 class="title"><a name="id357165"></a>New Account Storage Systems</h3></div></div></div><p> -Samba-3 introduces a number of new password backend capabilities. -<a class="indexterm" name="id357173"></a> -<a class="indexterm" name="id357182"></a> -</p><div class="variablelist"><dl><dt><span class="term">tdbsam</span></dt><dd><p> -<a class="indexterm" name="id357204"></a> -<a class="indexterm" name="id357210"></a> -<a class="indexterm" name="id357217"></a> - This backend provides a rich database backend for local servers. This - backend is not suitable for multiple domain controllers (i.e., PDC + one - or more BDC) installations. - </p><p> -<a class="indexterm" name="id357228"></a> -<a class="indexterm" name="id357235"></a> -<a class="indexterm" name="id357242"></a> -<a class="indexterm" name="id357249"></a> -<a class="indexterm" name="id357256"></a> -<a class="indexterm" name="id357263"></a> - The <span class="emphasis"><em>tdbsam</em></span> password backend stores the old <span class="emphasis"><em> - smbpasswd</em></span> information plus the extended MS Windows NT/200x - SAM information into a binary format TDB (trivial database) file. - The inclusion of the extended information makes it possible for Samba-3 - to implement the same account and system access controls that are possible - with MS Windows NT4/200x-based systems. - </p><p> -<a class="indexterm" name="id357283"></a> -<a class="indexterm" name="id357290"></a> -<a class="indexterm" name="id357297"></a> - The inclusion of the <span class="emphasis"><em>tdbsam</em></span> capability is a direct - response to user requests to allow simple site operation without the overhead - of the complexities of running OpenLDAP. It is recommended to use this only - for sites that have fewer than 250 users. For larger sites or implementations, - the use of OpenLDAP or of Active Directory integration is strongly recommended. - </p></dd><dt><span class="term">ldapsam</span></dt><dd><p> -<a class="indexterm" name="id357322"></a> -<a class="indexterm" name="id357329"></a> - This provides a rich directory backend for distributed account installation. - </p><p> -<a class="indexterm" name="id357340"></a> -<a class="indexterm" name="id357346"></a> -<a class="indexterm" name="id357353"></a> -<a class="indexterm" name="id357360"></a> -<a class="indexterm" name="id357367"></a> - Samba-3 has a new and extended LDAP implementation that requires configuration - of OpenLDAP with a new format Samba schema. The new format schema file is - included in the <code class="filename">examples/LDAP</code> directory of the Samba distribution. - </p><p> -<a class="indexterm" name="id357387"></a> -<a class="indexterm" name="id357394"></a> -<a class="indexterm" name="id357401"></a> -<a class="indexterm" name="id357408"></a> -<a class="indexterm" name="id357414"></a> - The new LDAP implementation significantly expands the control abilities that - were possible with prior versions of Samba. It is now possible to specify - <span class="quote">“<span class="quote">per-user</span>”</span> profile settings, home directories, account access controls, and - much more. Corporate sites will see that the Samba Team has listened to their - requests both for capability and greater scalability. - </p></dd></dl></div></div></div><div class="sect1" title="Technical Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="passdbtech"></a>Technical Information</h2></div></div></div><p> -<a class="indexterm" name="id357446"></a> -<a class="indexterm" name="id357452"></a> - Old Windows clients send plaintext passwords over the wire. Samba can check these - passwords by encrypting them and comparing them to the hash stored in the UNIX user database. - </p><p> -<a class="indexterm" name="id357464"></a> -<a class="indexterm" name="id357471"></a> -<a class="indexterm" name="id357478"></a> -<a class="indexterm" name="id357484"></a> - Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over - the wire. The newest clients will send only encrypted passwords and refuse to send plaintext passwords unless - their registry is tweaked. - </p><p> -<a class="indexterm" name="id357497"></a> -<a class="indexterm" name="id357504"></a> - Many people ask why Samba cannot simply use the UNIX password database. Windows requires - passwords that are encrypted in its own format. The UNIX passwords can't be converted to - Windows-style encrypted passwords. Because of that, you can't use the standard UNIX user - database, and you have to store the LanMan and NT hashes somewhere else. - </p><p> -<a class="indexterm" name="id357517"></a> -<a class="indexterm" name="id357524"></a> -<a class="indexterm" name="id357530"></a> -<a class="indexterm" name="id357537"></a> - In addition to differently encrypted passwords, Windows also stores certain data for each - user that is not stored in a UNIX user database: for example, workstations the user may logon from, - the location where the user's profile is stored, and so on. Samba retrieves and stores this - information using a <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>. Commonly available backends are LDAP, - tdbsam, and plain text file. For more information, see the man page for <code class="filename">smb.conf</code> regarding the - <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a> parameter. - </p><div class="figure"><a name="idmap-sid2uid"></a><p class="title"><b>Figure 11.1. IDMAP: Resolution of SIDs to UIDs.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-sid2uid.png" width="216" alt="IDMAP: Resolution of SIDs to UIDs."></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id357620"></a> -<a class="indexterm" name="id357626"></a> -<a class="indexterm" name="id357633"></a> - The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd - is not running or cannot be contacted, then only local SID/UID resolution is possible. See <a class="link" href="passdb.html#idmap-sid2uid" title="Figure 11.1. IDMAP: Resolution of SIDs to UIDs.">resolution of SIDs to UIDs</a> and <a class="link" href="passdb.html#idmap-uid2sid" title="Figure 11.2. IDMAP: Resolution of UIDs to SIDs.">resolution of UIDs - to SIDs</a> diagrams. - </p><div class="figure"><a name="idmap-uid2sid"></a><p class="title"><b>Figure 11.2. IDMAP: Resolution of UIDs to SIDs.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-uid2sid.png" width="270" alt="IDMAP: Resolution of UIDs to SIDs."></div></div></div><br class="figure-break"><div class="sect2" title="Important Notes About Security"><div class="titlepage"><div><div><h3 class="title"><a name="id357700"></a>Important Notes About Security</h3></div></div></div><p> -<a class="indexterm" name="id357707"></a> -<a class="indexterm" name="id357714"></a> -<a class="indexterm" name="id357721"></a> -<a class="indexterm" name="id357728"></a> -<a class="indexterm" name="id357735"></a> - The UNIX and SMB password encryption techniques seem similar on the surface. This - similarity is, however, only skin deep. The UNIX scheme typically sends clear-text - passwords over the network when logging in. This is bad. The SMB encryption scheme - never sends the clear-text password over the network, but it does store the 16-byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed values - are a <span class="quote">“<span class="quote">password equivalent.</span>”</span> You cannot derive the user's password from them, but - they could potentially be used in a modified client to gain access to a server. - This would require considerable technical knowledge on behalf of the attacker but - is perfectly possible. You should therefore treat the data stored in whatever passdb - backend you use (smbpasswd file, LDAP) as though it contained the clear-text - passwords of all your users. Its contents must be kept secret, and the file should - be protected accordingly. - </p><p> -<a class="indexterm" name="id357756"></a> -<a class="indexterm" name="id357763"></a> -<a class="indexterm" name="id357770"></a> - Ideally, we would like a password scheme that involves neither plaintext passwords - on the network nor plaintext passwords on disk. Unfortunately, this is not available because Samba is stuck with - having to be compatible with other SMB systems (Windows NT, Windows for Workgroups, Windows 9x/Me). - </p><p> -<a class="indexterm" name="id357782"></a> -<a class="indexterm" name="id357789"></a> - Windows NT 4.0 Service Pack 3 changed the default setting so plaintext passwords - are disabled from being sent over the wire. This mandates either the use of encrypted - password support or editing the Windows NT registry to re-enable plaintext passwords. - </p><p> -<a class="indexterm" name="id357802"></a> -<a class="indexterm" name="id357808"></a> - The following versions of Microsoft Windows do not support full domain security protocols, - although they may log onto a domain environment: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>MS DOS Network client 3.0 with the basic network redirector installed.</p></li><li class="listitem"><p>Windows 95 with the network redirector update installed.</p></li><li class="listitem"><p>Windows 98 [Second Edition].</p></li><li class="listitem"><p>Windows Me.</p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id357844"></a> -<a class="indexterm" name="id357851"></a> -<a class="indexterm" name="id357858"></a> - MS Windows XP Home does not have facilities to become a domain member, and it cannot participate in domain logons. - </p></div><p> - The following versions of MS Windows fully support domain security protocols. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Windows NT 3.5x.</p></li><li class="listitem"><p>Windows NT 4.0.</p></li><li class="listitem"><p>Windows 2000 Professional.</p></li><li class="listitem"><p>Windows 200x Server/Advanced Server.</p></li><li class="listitem"><p>Windows XP Professional.</p></li></ul></div><p> -<a class="indexterm" name="id357899"></a> -<a class="indexterm" name="id357906"></a> -<a class="indexterm" name="id357913"></a> -<a class="indexterm" name="id357920"></a> -<a class="indexterm" name="id357927"></a> -<a class="indexterm" name="id357934"></a> - All current releases of Microsoft SMB/CIFS clients support authentication via the - SMB challenge/response mechanism described here. Enabling clear-text authentication - does not disable the ability of the client to participate in encrypted authentication. - Instead, it allows the client to negotiate either plaintext or encrypted password - handling. - </p><p> -<a class="indexterm" name="id357947"></a> -<a class="indexterm" name="id357954"></a> -<a class="indexterm" name="id357960"></a> -<a class="indexterm" name="id357967"></a> -<a class="indexterm" name="id357974"></a> - MS Windows clients will cache the encrypted password alone. Where plaintext passwords - are re-enabled through the appropriate registry change, the plaintext password is never - cached. This means that in the event that a network connections should become disconnected - (broken), only the cached (encrypted) password will be sent to the resource server to - effect an auto-reconnect. If the resource server does not support encrypted passwords, the - auto-reconnect will fail. Use of encrypted passwords is strongly advised. - </p><div class="sect3" title="Advantages of Encrypted Passwords"><div class="titlepage"><div><div><h4 class="title"><a name="id357986"></a>Advantages of Encrypted Passwords</h4></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id357997"></a> -<a class="indexterm" name="id358004"></a> -<a class="indexterm" name="id358011"></a> - Plaintext passwords are not passed across the network. Someone using a network sniffer - cannot just record passwords going to the SMB server. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358024"></a> -<a class="indexterm" name="id358030"></a> -<a class="indexterm" name="id358037"></a> - Plaintext passwords are not stored anywhere in memory or on disk. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358049"></a> -<a class="indexterm" name="id358056"></a> -<a class="indexterm" name="id358063"></a> -<a class="indexterm" name="id358070"></a> - Windows NT does not like talking to a server that does not support encrypted passwords. It will refuse to - browse the server if the server is also in user-level security mode. It will insist on prompting the user for - the password on each connection, which is very annoying. The only thing you can do to stop this is to use SMB - encryption. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358084"></a> -<a class="indexterm" name="id358090"></a> - Encrypted password support allows automatic share (resource) reconnects. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358102"></a> -<a class="indexterm" name="id358109"></a> - Encrypted passwords are essential for PDC/BDC operation. - </p></li></ul></div></div><div class="sect3" title="Advantages of Non-Encrypted Passwords"><div class="titlepage"><div><div><h4 class="title"><a name="id358119"></a>Advantages of Non-Encrypted Passwords</h4></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id358130"></a> - Plaintext passwords are not kept on disk and are not cached in memory. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358142"></a> -<a class="indexterm" name="id358149"></a> - Plaintext passwords use the same password file as other UNIX services, such as Login and FTP. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358161"></a> -<a class="indexterm" name="id358168"></a> - Use of other services (such as Telnet and FTP) that send plaintext passwords over - the network makes sending them for SMB not such a big deal. - </p></li></ul></div></div></div><div class="sect2" title="Mapping User Identifiers between MS Windows and UNIX"><div class="titlepage"><div><div><h3 class="title"><a name="id358180"></a>Mapping User Identifiers between MS Windows and UNIX</h3></div></div></div><p> -<a class="indexterm" name="id358188"></a> -<a class="indexterm" name="id358194"></a> -<a class="indexterm" name="id358201"></a> - Every operation in UNIX/Linux requires a user identifier (UID), just as in - MS Windows NT4/200x this requires a security identifier (SID). Samba provides - two means for mapping an MS Windows user to a UNIX/Linux UID. - </p><p> -<a class="indexterm" name="id358213"></a> -<a class="indexterm" name="id358220"></a> -<a class="indexterm" name="id358226"></a> -<a class="indexterm" name="id358233"></a> -<a class="indexterm" name="id358240"></a> - First, all Samba SAM database accounts require a UNIX/Linux UID that the account will map to. As users are - added to the account information database, Samba will call the <a class="link" href="smb.conf.5.html#ADDUSERSCRIPT" target="_top">add user script</a> - interface to add the account to the Samba host OS. In essence all accounts in the local SAM require a local - user account. - </p><p> - <a class="indexterm" name="id358265"></a> - <a class="indexterm" name="id358271"></a> - <a class="indexterm" name="id358278"></a> - <a class="indexterm" name="id358285"></a> - <a class="indexterm" name="id358291"></a> - <a class="indexterm" name="id358298"></a> - <a class="indexterm" name="id358305"></a> - The second way to map Windows SID to UNIX UID is via the <span class="emphasis"><em>idmap uid</em></span> and - <span class="emphasis"><em>idmap gid</em></span> parameters in <code class="filename">smb.conf</code>. Please refer to the man page for information about - these parameters. These parameters are essential when mapping users from a remote (non-member Windows client - or a member of a foreign domain) SAM server. - </p></div><div class="sect2" title="Mapping Common UIDs/GIDs on Distributed Machines"><div class="titlepage"><div><div><h3 class="title"><a name="idmapbackend"></a>Mapping Common UIDs/GIDs on Distributed Machines</h3></div></div></div><p> -<a class="indexterm" name="id358341"></a> -<a class="indexterm" name="id358347"></a> -<a class="indexterm" name="id358354"></a> -<a class="indexterm" name="id358360"></a> -<a class="indexterm" name="id358367"></a> -<a class="indexterm" name="id358374"></a> - Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs - on all servers in a distributed network. A distributed network is one where there exists - a PDC, one or more BDCs, and/or one or more domain member servers. Why is this important? - This is important if files are being shared over more than one protocol (e.g., NFS) and where - users are copying files across UNIX/Linux systems using tools such as <code class="literal">rsync</code>. - </p><p> -<a class="indexterm" name="id358393"></a> -<a class="indexterm" name="id358400"></a> -<a class="indexterm" name="id358407"></a> -<a class="indexterm" name="id358413"></a> -<a class="indexterm" name="id358420"></a> -<a class="indexterm" name="id358427"></a> -<a class="indexterm" name="id358433"></a> - <a class="indexterm" name="id358440"></a> - The special facility is enabled using a parameter called <em class="parameter"><code>idmap backend</code></em>. - The default setting for this parameter is an empty string. Technically it is possible to use - an LDAP-based idmap backend for UIDs and GIDs, but it makes most sense when this is done for - network configurations that also use LDAP for the SAM backend. - <a class="link" href="passdb.html#idmapbackendexample" title="Example 11.1. Example Configuration with the LDAP idmap Backend">Example Configuration with the LDAP idmap Backend</a> - shows that configuration. - </p><a class="indexterm" name="id358465"></a><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example 11.1. Example Configuration with the LDAP idmap Backend</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id358496"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap-server.quenya.org:636</code></em></td></tr><tr><td># Alternatively, this could be specified as:</td></tr><tr><td><a class="indexterm" name="id358512"></a><em class="parameter"><code>idmap backend = ldap:ldaps://ldap-server.quenya.org</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id358527"></a> -<a class="indexterm" name="id358534"></a> - A network administrator who wants to make significant use of LDAP backends will sooner or later be - exposed to the excellent work done by PADL Software. PADL <a class="ulink" href="http://www.padl.com" target="_top">http://www.padl.com</a> have - produced and released to open source an array of tools that might be of interest. These tools include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id358555"></a> -<a class="indexterm" name="id358562"></a> -<a class="indexterm" name="id358568"></a> -<a class="indexterm" name="id358575"></a> -<a class="indexterm" name="id358582"></a> -<a class="indexterm" name="id358589"></a> -<a class="indexterm" name="id358595"></a> -<a class="indexterm" name="id358602"></a> - <span class="emphasis"><em>nss_ldap:</em></span> An LDAP name service switch (NSS) module to provide native - name service support for AIX, Linux, Solaris, and other operating systems. This tool - can be used for centralized storage and retrieval of UIDs and GIDs. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358620"></a> -<a class="indexterm" name="id358627"></a> -<a class="indexterm" name="id358634"></a> -<a class="indexterm" name="id358640"></a> - <span class="emphasis"><em>pam_ldap:</em></span> A PAM module that provides LDAP integration for UNIX/Linux - system access authentication. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id358658"></a> -<a class="indexterm" name="id358665"></a> -<a class="indexterm" name="id358672"></a> -<a class="indexterm" name="id358678"></a> - <span class="emphasis"><em>idmap_ad:</em></span> An IDMAP backend that supports the Microsoft Services for - UNIX RFC 2307 schema available from the PADL Web - <a class="ulink" href="http://www.padl.com/download/xad_oss_plugins.tar.gz" target="_top">site</a>. - </p></li></ul></div></div><div class="sect2" title="Comments Regarding LDAP"><div class="titlepage"><div><div><h3 class="title"><a name="id358700"></a>Comments Regarding LDAP</h3></div></div></div><p> -<a class="indexterm" name="id358708"></a> -<a class="indexterm" name="id358717"></a> -<a class="indexterm" name="id358724"></a> -<a class="indexterm" name="id358731"></a> - There is much excitement and interest in LDAP directories in the information technology world - today. The LDAP architecture was designed to be highly scalable. It was also designed for - use across a huge number of potential areas of application encompassing a wide range of operating - systems and platforms. LDAP technologies are at the heart of the current generations of Federated - Identity Management (FIM) solutions that can underlie a corporate Single Sign-On (SSO) environment. - </p><p> -<a class="indexterm" name="id358744"></a> -<a class="indexterm" name="id358751"></a> -<a class="indexterm" name="id358758"></a> -<a class="indexterm" name="id358765"></a> - LDAP implementations have been built across a wide variety of platforms. It lies at the core of Microsoft - Windows Active Directory services (ADS), Novell's eDirectory, as well as many others. Implementation of the - directory services LDAP involves interaction with legacy as well as new generation applications, all of which - depend on some form of authentication services. - </p><p> -<a class="indexterm" name="id358778"></a> -<a class="indexterm" name="id358785"></a> -<a class="indexterm" name="id358792"></a> -<a class="indexterm" name="id358798"></a> -<a class="indexterm" name="id358805"></a> -<a class="indexterm" name="id358812"></a> -<a class="indexterm" name="id358819"></a> -<a class="indexterm" name="id358826"></a> -<a class="indexterm" name="id358832"></a> -<a class="indexterm" name="id358839"></a> -<a class="indexterm" name="id358846"></a> -<a class="indexterm" name="id358853"></a> -<a class="indexterm" name="id358860"></a> -<a class="indexterm" name="id358866"></a> - UNIX services can utilize LDAP directory information for authentication and access controls - through intermediate tools and utilities. The total environment that consists of the LDAP directory - and the middle-ware tools and utilities makes it possible for all user access to the UNIX platform - to be managed from a central environment and yet distributed to wherever the point of need may - be physically located. Applications that benefit from this infrastructure include: UNIX login - shells, mail and messaging systems, quota controls, printing systems, DNS servers, DHCP servers, - and also Samba. - </p><p> -<a class="indexterm" name="id358882"></a> -<a class="indexterm" name="id358888"></a> -<a class="indexterm" name="id358895"></a> -<a class="indexterm" name="id358902"></a> -<a class="indexterm" name="id358909"></a> -<a class="indexterm" name="id358916"></a> - Many sites are installing LDAP for the first time in order to provide a scalable passdb backend - for Samba. Others are faced with the need to adapt an existing LDAP directory to new uses such - as for the Samba SAM backend. Whatever your particular need and attraction to Samba may be, - decisions made in respect of the design of the LDAP directory structure and its implementation - are of a durable nature for the site. These have far-reaching implications that affect long-term - information systems management costs. - </p><p> -<a class="indexterm" name="id358930"></a> -<a class="indexterm" name="id358937"></a> - Do not rush into an LDAP deployment. Take the time to understand how the design of the Directory - Information Tree (DIT) may impact current and future site needs, as well as the ability to meet - them. The way that Samba SAM information should be stored within the DIT varies from site to site - and with each implementation new experience is gained. It is well understood by LDAP veterans that - first implementations create awakening, second implementations of LDAP create fear, and - third-generation deployments bring peace and tranquility. - </p><div class="sect3" title="Caution Regarding LDAP and Samba"><div class="titlepage"><div><div><h4 class="title"><a name="id358952"></a>Caution Regarding LDAP and Samba</h4></div></div></div><p> -<a class="indexterm" name="id358960"></a> -<a class="indexterm" name="id358967"></a> -<a class="indexterm" name="id358974"></a> -<a class="indexterm" name="id358980"></a> -<a class="indexterm" name="id358987"></a> -<a class="indexterm" name="id358994"></a> -<a class="indexterm" name="id359001"></a> - Samba requires UNIX POSIX identity information as well as a place to store information that is - specific to Samba and the Windows networking environment. The most used information that must - be dealt with includes: user accounts, group accounts, machine trust accounts, interdomain - trust accounts, and intermediate information specific to Samba internals. - </p><p> -<a class="indexterm" name="id359014"></a> -<a class="indexterm" name="id359021"></a> -<a class="indexterm" name="id359028"></a> - The example deployment guidelines in this book, as well as other books and HOWTO documents - available from the internet may not fit with established directory designs and implementations. - The existing DIT may not be able to accommodate the simple information layout proposed in common - sources. Additionally, you may find that the common scripts and tools that are used to provision - the LDAP directory for use with Samba may not suit your needs. - </p><p> -<a class="indexterm" name="id359042"></a> - It is not uncommon, for sites that have existing LDAP DITs to find necessity to generate a - set of site-specific scripts and utilities to make it possible to deploy Samba within the - scope of site operations. The way that user and group accounts are distributed throughout - the DIT may make this a challenging matter. The solution will, of course, be rewarding, but - the journey to it may be challenging. Take time to understand site needs and do not rush - into deployment. - </p><p> -<a class="indexterm" name="id359056"></a> -<a class="indexterm" name="id359063"></a> - Above all, do not blindly use scripts and tools that are not suitable for your site. Check - and validate all scripts before you execute them to make sure that the existing infrastructure - will not be damaged by inadvertent use of an inappropriate tool. - </p></div></div><div class="sect2" title="LDAP Directories and Windows Computer Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id359075"></a>LDAP Directories and Windows Computer Accounts</h3></div></div></div><p> -<a class="indexterm" name="id359083"></a> -<a class="indexterm" name="id359090"></a> -<a class="indexterm" name="id359096"></a> - Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and - configuration of an LDAP directory prior to integration with Samba. A working knowledge - of LDAP makes Samba integration easy, and the lack of a working knowledge of LDAP can make - it a frustrating experience. - </p><p> -<a class="indexterm" name="id359109"></a> -<a class="indexterm" name="id359116"></a> -<a class="indexterm" name="id359123"></a> - Computer (machine) accounts can be placed wherever you like in an LDAP directory subject - to some constraints that are described in this chapter. - </p><p> -<a class="indexterm" name="id359134"></a> -<a class="indexterm" name="id359141"></a> -<a class="indexterm" name="id359148"></a> -<a class="indexterm" name="id359155"></a> -<a class="indexterm" name="id359161"></a> -<a class="indexterm" name="id359168"></a> -<a class="indexterm" name="id359175"></a> - The POSIX and sambaSamAccount components of computer (machine) accounts are both used by Samba. - Thus, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats - them. A user account and a machine account are indistinguishable from each other, except that - the machine account ends in a $ character, as do trust accounts. - </p><p> -<a class="indexterm" name="id359188"></a> -<a class="indexterm" name="id359195"></a> -<a class="indexterm" name="id359202"></a> -<a class="indexterm" name="id359208"></a> -<a class="indexterm" name="id359215"></a> - The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX - UID is a design decision that was made a long way back in the history of Samba development. It - is unlikely that this decision will be reversed or changed during the remaining life of the - Samba-3.x series. - </p><p> -<a class="indexterm" name="id359228"></a> -<a class="indexterm" name="id359234"></a> -<a class="indexterm" name="id359241"></a> - The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that - must refer back to the host operating system on which Samba is running. The NSS is the preferred - mechanism that shields applications (like Samba) from the need to know everything about every - host OS it runs on. - </p><p> -<a class="indexterm" name="id359253"></a> -<a class="indexterm" name="id359260"></a> -<a class="indexterm" name="id359267"></a> -<a class="indexterm" name="id359274"></a> -<a class="indexterm" name="id359280"></a> -<a class="indexterm" name="id359287"></a> -<a class="indexterm" name="id359294"></a> - Samba asks the host OS to provide a UID via the <span class="quote">“<span class="quote">passwd</span>”</span>, <span class="quote">“<span class="quote">shadow</span>”</span>, - and <span class="quote">“<span class="quote">group</span>”</span> facilities in the NSS control (configuration) file. The best tool - for achieving this is left up to the UNIX administrator to determine. It is not imposed by - Samba. Samba provides winbindd with its support libraries as one method. It is - possible to do this via LDAP, and for that Samba provides the appropriate hooks so that - all account entities can be located in an LDAP directory. - </p><p> -<a class="indexterm" name="id359318"></a> -<a class="indexterm" name="id359325"></a> -<a class="indexterm" name="id359332"></a> -<a class="indexterm" name="id359338"></a> -<a class="indexterm" name="id359345"></a> - For many the weapon of choice is to use the PADL nss_ldap utility. This utility must - be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That - is fundamentally an LDAP design question. The information provided on the Samba list and - in the documentation is directed at providing working examples only. The design - of an LDAP directory is a complex subject that is beyond the scope of this documentation. - </p></div></div><div class="sect1" title="Account Management Tools"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="acctmgmttools"></a>Account Management Tools</h2></div></div></div><p> -<a class="indexterm" name="id359371"></a> -<a class="indexterm" name="id359378"></a> -<a class="indexterm" name="id359385"></a> -Samba provides two tools for management of user and machine accounts: -<code class="literal">smbpasswd</code> and <code class="literal">pdbedit</code>. -</p><p> -<a class="indexterm" name="id359407"></a> -<a class="indexterm" name="id359414"></a> -<a class="indexterm" name="id359421"></a> -The <code class="literal">pdbedit</code> can be used to manage account policies in addition to -Samba user account information. The policy management capability is used to administer -domain default settings for password aging and management controls to handle failed login -attempts. -</p><p> -<a class="indexterm" name="id359439"></a> -<a class="indexterm" name="id359446"></a> -<a class="indexterm" name="id359452"></a> -<a class="indexterm" name="id359459"></a> -Some people are confused when reference is made to <code class="literal">smbpasswd</code> because the -name refers to a storage mechanism for SambaSAMAccount information, but it is also the name -of a utility tool. That tool is destined to eventually be replaced by new functionality that -is being added to the <code class="literal">net</code> toolset (see <a class="link" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">the Net Command</a>). -</p><div class="sect2" title="The smbpasswd Tool"><div class="titlepage"><div><div><h3 class="title"><a name="id359487"></a>The <code class="literal">smbpasswd</code> Tool</h3></div></div></div><p> -<a class="indexterm" name="id359501"></a> -<a class="indexterm" name="id359508"></a> -<a class="indexterm" name="id359515"></a> -<a class="indexterm" name="id359522"></a> -<a class="indexterm" name="id359528"></a> - The <code class="literal">smbpasswd</code> utility is similar to the <code class="literal">passwd</code> - and <code class="literal">yppasswd</code> programs. It maintains the two 32 byte password - fields in the passdb backend. This utility operates independently of the actual - account and password storage methods used (as specified by the <em class="parameter"><code>passdb - backend</code></em> in the <code class="filename">smb.conf</code> file). - </p><p> -<a class="indexterm" name="id359570"></a> -<a class="indexterm" name="id359577"></a> - <code class="literal">smbpasswd</code> works in a client-server mode where it contacts the - local smbd to change the user's password on its behalf. This has enormous benefits. - </p><p> -<a class="indexterm" name="id359594"></a> -<a class="indexterm" name="id359601"></a> - <code class="literal">smbpasswd</code> has the capability to change passwords on Windows NT - servers (this only works when the request is sent to the NT PDC if changing an NT - domain user's password). - </p><p> - <a class="indexterm" name="id359618"></a> - <a class="indexterm" name="id359625"></a> - <code class="literal">smbpasswd</code> can be used to: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>add</em></span> user or machine accounts.</p></li><li class="listitem"><p><span class="emphasis"><em>delete</em></span> user or machine accounts.</p></li><li class="listitem"><p><span class="emphasis"><em>enable</em></span> user or machine accounts.</p></li><li class="listitem"><p><span class="emphasis"><em>disable</em></span> user or machine accounts.</p></li><li class="listitem"><p><span class="emphasis"><em>set to NULL</em></span> user passwords.</p></li><li class="listitem"><p><span class="emphasis"><em>manage</em></span> interdomain trust accounts.</p></li></ul></div><p> - To run smbpasswd as a normal user, just type: - </p><p> -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>smbpasswd</code></strong> -<code class="prompt">Old SMB password: </code><strong class="userinput"><code><em class="replaceable"><code>secret</code></em></code></strong> -</pre><p> - For <em class="replaceable"><code>secret</code></em>, type the old value here or press return if - there is no old password. -</p><pre class="screen"> -<code class="prompt">New SMB Password: </code><strong class="userinput"><code><em class="replaceable"><code>new secret</code></em></code></strong> -<code class="prompt">Repeat New SMB Password: </code><strong class="userinput"><code><em class="replaceable"><code>new secret</code></em></code></strong> -</pre><p> - </p><p> - If the old value does not match the current value stored for that user, or the two - new values do not match each other, then the password will not be changed. - </p><p> -<a class="indexterm" name="id359761"></a> - When invoked by an ordinary user, the command will allow only the user to change his or her own - SMB password. - </p><p> -<a class="indexterm" name="id359772"></a> -<a class="indexterm" name="id359778"></a> - When run by root, <code class="literal">smbpasswd</code> may take an optional argument specifying - the username whose SMB password you wish to change. When run as root, <code class="literal">smbpasswd</code> - does not prompt for or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords. - </p><p> -<a class="indexterm" name="id359803"></a> -<a class="indexterm" name="id359809"></a> -<a class="indexterm" name="id359816"></a> -<a class="indexterm" name="id359823"></a> - <code class="literal">smbpasswd</code> is designed to work in the way familiar to UNIX - users who use the <code class="literal">passwd</code> or <code class="literal">yppasswd</code> commands. - While designed for administrative use, this tool provides essential user-level - password change capabilities. - </p><p> -<a class="indexterm" name="id359852"></a> - For more details on using <code class="literal">smbpasswd</code>, refer to the man page (the - definitive reference). - </p></div><div class="sect2" title="The pdbedit Tool"><div class="titlepage"><div><div><h3 class="title"><a name="pdbeditthing"></a>The <code class="literal">pdbedit</code> Tool</h3></div></div></div><p> - <a class="indexterm" name="id359885"></a> - <a class="indexterm" name="id359892"></a> - <a class="indexterm" name="id359899"></a> - <a class="indexterm" name="id359906"></a> - <code class="literal">pdbedit</code> is a tool that can be used only by root. It is used to - manage the passdb backend, as well as domain-wide account policy settings. <code class="literal">pdbedit</code> - can be used to: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>add, remove, or modify user accounts.</p></li><li class="listitem"><p>list user accounts.</p></li><li class="listitem"><p>migrate user accounts.</p></li><li class="listitem"><p>migrate group accounts.</p></li><li class="listitem"><p>manage account policies.</p></li><li class="listitem"><p>manage domain access policy settings.</p></li></ul></div><p> - <a class="indexterm" name="id359962"></a> - Under the terms of the Sarbanes-Oxley Act of 2002, American businesses and organizations are mandated to - implement a series of <code class="literal">internal controls</code> and procedures to communicate, store, - and protect financial data. The Sarbanes-Oxley Act has far reaching implications in respect of: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Who has access to information systems that store financial data.</p></li><li class="listitem"><p>How personal and financial information is treated among employees and business - partners.</p></li><li class="listitem"><p>How security vulnerabilities are managed.</p></li><li class="listitem"><p>Security and patch level maintenance for all information systems.</p></li><li class="listitem"><p>How information systems changes are documented and tracked.</p></li><li class="listitem"><p>How information access controls are implemented and managed.</p></li><li class="listitem"><p>Auditability of all information systems in respect of change and security.</p></li><li class="listitem"><p>Disciplinary procedures and controls to ensure privacy.</p></li></ol></div><p> - <a class="indexterm" name="id360028"></a> - <a class="indexterm" name="id360034"></a> - In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of - business related information systems so as to ensure the compliance of all information systems that - are used to store personal information and particularly for financial records processing. Similar - accountabilities are being demanded around the world. - </p><p> - <a class="indexterm" name="id360048"></a> - <a class="indexterm" name="id360054"></a> - <a class="indexterm" name="id360061"></a> - <a class="indexterm" name="id360068"></a> - <a class="indexterm" name="id360075"></a> - The need to be familiar with the Samba tools and facilities that permit information systems operation - in compliance with government laws and regulations is clear to all. The <code class="literal">pdbedit</code> is - currently the only Samba tool that provides the capacity to manage account and systems access controls - and policies. During the remaining life-cycle of the Samba-3 series it is possible the new tools may - be implemented to aid in this important area. - </p><p> - Domain global policy controls available in Windows NT4 compared with Samba - is shown in <a class="link" href="passdb.html#policycontrols" title="Table 11.1. NT4 Domain v's Samba Policy Controls">NT4 Domain v's Samba Policy Controls</a>. - </p><div class="table"><a name="policycontrols"></a><p class="title"><b>Table 11.1. NT4 Domain v's Samba Policy Controls</b></p><div class="table-contents"><table summary="NT4 Domain v's Samba Policy Controls" border="1"><colgroup><col align="left"><col align="left"><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="left"><p>NT4 policy Name</p></th><th align="left"><p>Samba Policy Name</p></th><th align="center"><p>NT4 Range</p></th><th align="center"><p>Samba Range</p></th><th align="center"><p>Samba Default</p></th></tr></thead><tbody><tr><td align="left"><p>Maximum Password Age</p></td><td align="left"><p>maximum password age</p></td><td align="center"><p>0 - 999 (days)</p></td><td align="center"><p>0 - 4294967295 (sec)</p></td><td align="center"><p>4294967295</p></td></tr><tr><td align="left"><p>Minimum Password Age</p></td><td align="left"><p>minimum password age</p></td><td align="center"><p>0 - 999 (days)</p></td><td align="center"><p>0 - 4294967295 (sec)</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>Minimum Password Length</p></td><td align="left"><p>min password length</p></td><td align="center"><p>1 - 14 (Chars)</p></td><td align="center"><p>0 - 4294967295 (Chars)</p></td><td align="center"><p>5</p></td></tr><tr><td align="left"><p>Password Uniqueness</p></td><td align="left"><p>password history</p></td><td align="center"><p>0 - 23 (#)</p></td><td align="center"><p>0 - 4294967295 (#)</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>Account Lockout - Reset count after</p></td><td align="left"><p>reset count minutes</p></td><td align="center"><p>1 - 99998 (min)</p></td><td align="center"><p>0 - 4294967295 (min)</p></td><td align="center"><p>30</p></td></tr><tr><td align="left"><p>Lockout after bad logon attempts</p></td><td align="left"><p>bad lockout attempt</p></td><td align="center"><p>0 - 998 (#)</p></td><td align="center"><p>0 - 4294967295 (#)</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>*** Not Known ***</p></td><td align="left"><p>disconnect time</p></td><td align="center"><p>TBA</p></td><td align="center"><p>0 - 4294967295</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>Lockout Duration</p></td><td align="left"><p>lockout duration</p></td><td align="center"><p>1 - 99998 (min)</p></td><td align="center"><p>0 - 4294967295 (min)</p></td><td align="center"><p>30</p></td></tr><tr><td align="left"><p>Users must log on in order to change password</p></td><td align="left"><p>user must logon to change password</p></td><td align="center"><p>0/1</p></td><td align="center"><p>0 - 4294967295</p></td><td align="center"><p>0</p></td></tr><tr><td align="left"><p>*** Registry Setting ***</p></td><td align="left"><p>refuse machine password change</p></td><td align="center"><p>0/1</p></td><td align="center"><p>0 - 4294967295</p></td><td align="center"><p>0</p></td></tr></tbody></table></div></div><br class="table-break"><p> - <a class="indexterm" name="id360445"></a> -<a class="indexterm" name="id360451"></a> -<a class="indexterm" name="id360458"></a> -<a class="indexterm" name="id360465"></a> - The <code class="literal">pdbedit</code> tool is the only one that can manage the account - security and policy settings. It is capable of all operations that smbpasswd can - do as well as a superset of them. - </p><p> - <a class="indexterm" name="id360483"></a> -<a class="indexterm" name="id360489"></a> -<a class="indexterm" name="id360496"></a> - One particularly important purpose of the <code class="literal">pdbedit</code> is to allow - the import/export of account information from one passdb backend to another. - </p><div class="sect3" title="User Account Management"><div class="titlepage"><div><div><h4 class="title"><a name="id360511"></a>User Account Management</h4></div></div></div><p> -<a class="indexterm" name="id360519"></a> -<a class="indexterm" name="id360526"></a> -<a class="indexterm" name="id360533"></a> -<a class="indexterm" name="id360539"></a> -<a class="indexterm" name="id360546"></a> -<a class="indexterm" name="id360553"></a> -<a class="indexterm" name="id360560"></a> - The <code class="literal">pdbedit</code> tool, like the <code class="literal">smbpasswd</code> tool, requires - that a POSIX user account already exists in the UNIX/Linux system accounts database (backend). - Neither tool will call out to the operating system to create a user account because this is - considered to be the responsibility of the system administrator. When the Windows NT4 domain - user manager is used to add an account, Samba will implement the <code class="literal">add user script</code> - (as well as the other interface scripts) to ensure that user, group and machine accounts are - correctly created and changed. The use of the <code class="literal">pdbedit</code> tool does not - make use of these interface scripts. - </p><p> -<a class="indexterm" name="id360598"></a> -<a class="indexterm" name="id360605"></a> - Before attempting to use the <code class="literal">pdbedit</code> tool to manage user and machine - accounts, make certain that a system (POSIX) account has already been created. - </p><div class="sect4" title="Listing User and Machine Accounts"><div class="titlepage"><div><div><h5 class="title"><a name="id360620"></a>Listing User and Machine Accounts</h5></div></div></div><p> -<a class="indexterm" name="id360628"></a> -<a class="indexterm" name="id360635"></a> - The following is an example of the user account information that is stored in - a tdbsam password backend. This listing was produced by running: -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>pdbedit -Lv met</code></strong> -UNIX username: met -NT username: met -Account Flags: [U ] -User SID: S-1-5-21-1449123459-1407424037-3116680435-2004 -Primary Group SID: S-1-5-21-1449123459-1407424037-3116680435-1201 -Full Name: Melissa E Terpstra -Home Directory: \\frodo\met\Win9Profile -HomeDir Drive: H: -Logon Script: scripts\logon.bat -Profile Path: \\frodo\Profiles\met -Domain: MIDEARTH -Account desc: -Workstations: melbelle -Munged dial: -Logon time: 0 -Logoff time: Mon, 18 Jan 2038 20:14:07 GMT -Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT -Password last set: Sat, 14 Dec 2002 14:37:03 GMT -Password can change: Sat, 14 Dec 2002 14:37:03 GMT -Password must change: Mon, 18 Jan 2038 20:14:07 GMT -</pre><p> - </p><p> -<a class="indexterm" name="id360669"></a> - Accounts can also be listed in the older <code class="literal">smbpasswd</code> format: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>pdbedit -Lw</code></strong> -root:0:84B0D8E14D158FF8417EAF50CFAC29C3: - AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-42681AB8: -jht:1000:6BBC4159020A52741486235A2333E4D2: - CC099521AD554A3C3CF2556274DBCFBC:[U ]:LCT-40D75B5B: -rcg:1002:E95D4331A6F23AF8AAD3B435B51404EE: - BB0F2C39B04CA6100F0E535DF8314B43:[U ]:LCT-40D7C5A3: -afw:1003:1AAFA7F9F6DC1DEAAAD3B435B51404EE: - CE92C2F9471594CDC4E7860CA6BC62DB:[T ]:LCT-40DA501F: -met:1004:A2848CB7E076B435AAD3B435B51404EE: - F25F5D3405085C555236B80B7B22C0D2:[U ]:LCT-4244FAB8: -aurora$:1005:060DE593EA638B8ACC4A19F14D2FF2BB: - 060DE593EA638B8ACC4A19F14D2FF2BB:[W ]:LCT-4173E5CC: -temptation$:1006:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: - A96703C014E404E33D4049F706C45EE9:[W ]:LCT-42BF0C57: -vaioboss$:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: - 88A30A095160072784C88F811E89F98A:[W ]:LCT-41C3878D: -frodo$:1008:15891DC6B843ECA41249940C814E316B: - B68EADCCD18E17503D3DAD3E6B0B9A75:[W ]:LCT-42B7979F: -marvel$:1011:BF709959C3C94E0B3958B7B84A3BB6F3: - C610EFE9A385A3E8AA46ADFD576E6881:[W ]:LCT-40F07A4 -</pre><p> -<a class="indexterm" name="id360707"></a> -<a class="indexterm" name="id360714"></a> -<a class="indexterm" name="id360721"></a> -<a class="indexterm" name="id360728"></a> -<a class="indexterm" name="id360734"></a> -<a class="indexterm" name="id360741"></a> - The account information that was returned by this command in order from left to right - consists of the following colon separated data: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Login ID.</p></li><li class="listitem"><p>UNIX UID.</p></li><li class="listitem"><p>Microsoft LanManager password hash (password converted to upper-case then hashed).</p></li><li class="listitem"><p>Microsoft NT password hash (hash of the case-preserved password).</p></li><li class="listitem"><p>Samba SAM Account Flags.</p></li><li class="listitem"><p>The LCT data (password last change time).</p></li></ul></div><p> -<a class="indexterm" name="id360789"></a> -<a class="indexterm" name="id360796"></a> - The Account Flags parameters are documented in the <code class="literal">pdbedit</code> man page, and are - briefly documented in <a class="link" href="passdb.html#TOSHARG-acctflags" title="Account Flags Management">the Account Flags Management section</a>. - </p><p> -<a class="indexterm" name="id360820"></a> - The LCT data consists of 8 hexadecimal characters representing the time since January 1, 1970, of - the time when the password was last changed. - </p></div><div class="sect4" title="Adding User Accounts"><div class="titlepage"><div><div><h5 class="title"><a name="id360831"></a>Adding User Accounts</h5></div></div></div><p> -<a class="indexterm" name="id360838"></a> -<a class="indexterm" name="id360845"></a> -<a class="indexterm" name="id360852"></a> -<a class="indexterm" name="id360859"></a> -<a class="indexterm" name="id360866"></a> - The <code class="literal">pdbedit</code> can be used to add a user account to a standalone server - or to a domain. In the example shown here the account for the user <code class="literal">vlaan</code> - has been created before attempting to add the SambaSAMAccount. -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -a vlaan -new password: secretpw -retype new password: secretpw -Unix username: vlaan -NT username: vlaan -Account Flags: [U ] -User SID: S-1-5-21-726309263-4128913605-1168186429-3014 -Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 -Full Name: Victor Laan -Home Directory: \\frodo\vlaan -HomeDir Drive: H: -Logon Script: scripts\logon.bat -Profile Path: \\frodo\profiles\vlaan -Domain: MIDEARTH -Account desc: Guest User -Workstations: -Munged dial: -Logon time: 0 -Logoff time: Mon, 18 Jan 2038 20:14:07 GMT -Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT -Password last set: Wed, 29 Jun 2005 19:35:12 GMT -Password can change: Wed, 29 Jun 2005 19:35:12 GMT -Password must change: Mon, 18 Jan 2038 20:14:07 GMT -Last bad password : 0 -Bad password count : 0 -Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -</pre><p> - </p></div><div class="sect4" title="Deleting Accounts"><div class="titlepage"><div><div><h5 class="title"><a name="id360908"></a>Deleting Accounts</h5></div></div></div><p> -<a class="indexterm" name="id360915"></a> -<a class="indexterm" name="id360922"></a> -<a class="indexterm" name="id360929"></a> -<a class="indexterm" name="id360936"></a> - An account can be deleted from the SambaSAMAccount database -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -x vlaan -</pre><p> - The account is removed without further screen output. The account is removed only from the - SambaSAMAccount (passdb backend) database, it is not removed from the UNIX account backend. - </p><p> -<a class="indexterm" name="id360960"></a> -<a class="indexterm" name="id360966"></a> - The use of the NT4 domain user manager to delete an account will trigger the <em class="parameter"><code>delete user - script</code></em>, but not the <code class="literal">pdbedit</code> tool. - </p></div><div class="sect4" title="Changing User Accounts"><div class="titlepage"><div><div><h5 class="title"><a name="id360988"></a>Changing User Accounts</h5></div></div></div><p> -<a class="indexterm" name="id360996"></a> - Refer to the <code class="literal">pdbedit</code> man page for a full synopsis of all operations - that are available with this tool. - </p><p> -<a class="indexterm" name="id361013"></a> - An example of a simple change in the user account information is the change of the full name - information shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -r --fullname="Victor Aluicious Laan" vlaan -... -Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 -Full Name: Victor Aluicious Laan -Home Directory: \\frodo\vlaan -... -</pre><p> - </p><p> -<a class="indexterm" name="id361037"></a> -<a class="indexterm" name="id361044"></a> -<a class="indexterm" name="id361050"></a> - Let us assume for a moment that a user's password has expired and the user is unable to - change the password at this time. It may be necessary to give the user additional grace time - so that it is possible to continue to work with the account and the original password. This - demonstrates how the password expiration settings may be updated -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -Lv vlaan -... -Password last set: Sun, 09 Sep 2001 22:21:40 GMT -Password can change: Thu, 03 Jan 2002 15:08:35 GMT -Password must change: Thu, 03 Jan 2002 15:08:35 GMT -Last bad password : Thu, 03 Jan 2002 15:08:35 GMT -Bad password count : 2 -... -</pre><p> -<a class="indexterm" name="id361074"></a> -<a class="indexterm" name="id361081"></a> - The user has recorded 2 bad logon attempts and the next will lock the account, but the - password is also expired. Here is how this account can be reset: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -z vlaan -... -Password last set: Sun, 09 Sep 2001 22:21:40 GMT -Password can change: Thu, 03 Jan 2002 15:08:35 GMT -Password must change: Thu, 03 Jan 2002 15:08:35 GMT -Last bad password : 0 -Bad password count : 0 -... -</pre><p> - The <code class="literal">Password must change:</code> parameter can be reset like this: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit --pwd-must-change-time=1200000000 vlaan -... -Password last set: Sun, 09 Sep 2001 22:21:40 GMT -Password can change: Thu, 03 Jan 2002 15:08:35 GMT -Password must change: Thu, 10 Jan 2008 14:20:00 GMT -... -</pre><p> - Another way to use this tools is to set the date like this: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit --pwd-must-change-time="2010-01-01" \ - --time-format="%Y-%m-%d" vlaan -... -Password last set: Sun, 09 Sep 2001 22:21:40 GMT -Password can change: Thu, 03 Jan 2002 15:08:35 GMT -Password must change: Fri, 01 Jan 2010 00:00:00 GMT -... -</pre><p> -<a class="indexterm" name="id361136"></a> -<a class="indexterm" name="id361142"></a> - Refer to the strptime man page for specific time format information. - </p><p> -<a class="indexterm" name="id361153"></a> -<a class="indexterm" name="id361160"></a> - Please refer to the pdbedit man page for further information relating to SambaSAMAccount - management. - </p><div class="sect5" title="Account Flags Management"><div class="titlepage"><div><div><h6 class="title"><a name="TOSHARG-acctflags"></a>Account Flags Management</h6></div></div></div><p> -<a class="indexterm" name="id361180"></a> -<a class="indexterm" name="id361187"></a> -<a class="indexterm" name="id361196"></a> -<a class="indexterm" name="id361203"></a> - The Samba SAM account flags are properly called the ACB (account control block) within - the Samba source code. In some parts of the Samba source code they are referred to as the - account encode_bits, and also as the account control flags. - </p><p> -<a class="indexterm" name="id361215"></a> -<a class="indexterm" name="id361222"></a> -<a class="indexterm" name="id361229"></a> -<a class="indexterm" name="id361235"></a> -<a class="indexterm" name="id361242"></a> - The manual adjustment of user, machine (workstation or server) or an inter-domain trust - account account flgas should not be necessary under normal conditions of use of Samba. On the other hand, - where this information becomes corrupted for some reason, the ability to correct the damaged data is certainly - useful. The tool of choice by which such correction can be affected is the <code class="literal">pdbedit</code> utility. - </p><p> -<a class="indexterm" name="id361262"></a> -<a class="indexterm" name="id361268"></a> - There have been a few requests for information regarding the account flags from developers - who are creating their own Samba management tools. An example of a need for information regarding - the proper management of the account flags is evident when developing scripts that will be used - to manage an LDAP directory. - </p><p> -<a class="indexterm" name="id361281"></a> -<a class="indexterm" name="id361288"></a> - The account flag field can contain up to 16 characters. Presently, only 11 are in use. - These are listed in <a class="link" href="passdb.html#accountflags" title="Table 11.2. Samba SAM Account Control Block Flags">Samba SAM Account Control Block Flags</a>. - The order in which the flags are specified to the <code class="literal">pdbedit</code> command is not important. - In fact, they can be set without problem in any order in the SambaAcctFlags record in the LDAP directory. - </p><div class="table"><a name="accountflags"></a><p class="title"><b>Table 11.2. Samba SAM Account Control Block Flags</b></p><div class="table-contents"><table summary="Samba SAM Account Control Block Flags" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Flag</th><th align="center">Description</th></tr></thead><tbody><tr><td align="center">D</td><td align="left">Account is disabled.</td></tr><tr><td align="center">H</td><td align="left">A home directory is required.</td></tr><tr><td align="center">I</td><td align="left">An inter-domain trust account.</td></tr><tr><td align="center">L</td><td align="left">Account has been auto-locked.</td></tr><tr><td align="center">M</td><td align="left">An MNS (Microsoft network service) logon account.</td></tr><tr><td align="center">N</td><td align="left">Password not required.</td></tr><tr><td align="center">S</td><td align="left">A server trust account.</td></tr><tr><td align="center">T</td><td align="left">Temporary duplicate account entry.</td></tr><tr><td align="center">U</td><td align="left">A normal user account.</td></tr><tr><td align="center">W</td><td align="left">A workstation trust account.</td></tr><tr><td align="center">X</td><td align="left">Password does not expire.</td></tr></tbody></table></div></div><br class="table-break"><p> -<a class="indexterm" name="id361511"></a> -<a class="indexterm" name="id361518"></a> - An example of use of the <code class="literal">pdbedit</code> utility to set the account control flags - is shown here: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -r -c "[DLX]" jht -Unix username: jht -NT username: jht -Account Flags: [DHULX ] -User SID: S-1-5-21-729263-4123605-1186429-3000 -Primary Group SID: S-1-5-21-729263-4123605-1186429-513 -Full Name: John H Terpstra,Utah Office -Home Directory: \\aurora\jht -HomeDir Drive: H: -Logon Script: scripts\logon.bat -Profile Path: \\aurora\profiles\jht -Domain: MIDEARTH -Account desc: BluntObject -Workstations: -Logon time: 0 -Logoff time: Mon, 18 Jan 2038 20:14:07 GMT -Kickoff time: 0 -Password last set: Sun, 03 Jul 2005 23:19:18 GMT -Password can change: Sun, 03 Jul 2005 23:19:18 GMT -Password must change: Mon, 18 Jan 2038 20:14:07 GMT -Last bad password : 0 -Bad password count : 0 -Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -</pre><p> -<a class="indexterm" name="id361557"></a> - The flags can be reset to the default settings by executing: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -r -c "[]" jht -Unix username: jht -NT username: jht -Account Flags: [U ] -User SID: S-1-5-21-729263-4123605-1186429-3000 -Primary Group SID: S-1-5-21-729263-4123605-1186429-513 -Full Name: John H Terpstra,Utah Office -Home Directory: \\aurora\jht -HomeDir Drive: H: -Logon Script: scripts\logon.bat -Profile Path: \\aurora\profiles\jht -Domain: MIDEARTH -Account desc: BluntObject -Workstations: -Logon time: 0 -Logoff time: Mon, 18 Jan 2038 20:14:07 GMT -Kickoff time: 0 -Password last set: Sun, 03 Jul 2005 23:19:18 GMT -Password can change: Sun, 03 Jul 2005 23:19:18 GMT -Password must change: Mon, 18 Jan 2038 20:14:07 GMT -Last bad password : 0 -Bad password count : 0 -Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -</pre><p> - </p></div></div><div class="sect4" title="Domain Account Policy Managment"><div class="titlepage"><div><div><h5 class="title"><a name="id361587"></a>Domain Account Policy Managment</h5></div></div></div><p> -<a class="indexterm" name="id361594"></a> -<a class="indexterm" name="id361601"></a> - To view the domain account access policies that may be configured execute: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -P ? -No account policy by that name -Account policy names are : -min password length -password history -user must logon to change password -maximum password age -minimum password age -lockout duration -reset count minutes -bad lockout attempt -disconnect time -refuse machine password change -</pre><p> - </p><p> - Commands will be executed to establish controls for our domain as follows: - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>min password length = 8 characters.</p></li><li class="listitem"><p>password history = last 4 passwords.</p></li><li class="listitem"><p>maximum password age = 90 days.</p></li><li class="listitem"><p>minimum password age = 7 days.</p></li><li class="listitem"><p>bad lockout attempt = 8 bad logon attempts.</p></li><li class="listitem"><p>lockout duration = forever, account must be manually reenabled.</p></li></ol></div><p> - The following command execution will achieve these settings: -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -P "min password length" -C 8 -account policy value for min password length was 5 -account policy value for min password length is now 8 -<code class="prompt">root# </code> pdbedit -P "password history" -C 4 -account policy value for password history was 0 -account policy value for password history is now 4 -<code class="prompt">root# </code> pdbedit -P "maximum password age" -C 7776000 -account policy value for maximum password age was 4294967295 -account policy value for maximum password age is now 7776000 -<code class="prompt">root# </code> pdbedit -P "minimum password age" -C 604800 -account policy value for minimum password age was 0 -account policy value for minimum password age is now 7 -<code class="prompt">root# </code> pdbedit -P "bad lockout attempt" -C 8 -account policy value for bad lockout attempt was 0 -account policy value for bad lockout attempt is now 8 -<code class="prompt">root# </code> pdbedit -P "lockout duration" -C -1 -account policy value for lockout duration was 30 -account policy value for lockout duration is now 4294967295 -</pre><p> - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -To set the maximum (infinite) lockout time use the value of -1. -</p></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> -Account policies must be set individually on each PDC and BDC. At this time (Samba 3.0.11 to Samba 3.0.14a) -account policies are not replicated automatically. This may be fixed before Samba 3.0.20 ships or some -time there after. Please check the WHATSNEW.txt file in the Samba-3 tarball for specific update notiations -regarding this facility. -</p></div></div></div><div class="sect3" title="Account Import/Export"><div class="titlepage"><div><div><h4 class="title"><a name="id361730"></a>Account Import/Export</h4></div></div></div><p> - <a class="indexterm" name="id361738"></a> -<a class="indexterm" name="id361745"></a> -<a class="indexterm" name="id361752"></a> - The <code class="literal">pdbedit</code> tool allows import/export of authentication (account) - databases from one backend to another. For example, to import/export accounts from an - old <code class="filename">smbpasswd</code> database to a <em class="parameter"><code>tdbsam</code></em> - backend: - </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> -<a class="indexterm" name="id361786"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>pdbedit -i smbpasswd -e tdbsam</code></strong> -</pre><p> - </p></li><li class="step" title="Step 2"><p> -<a class="indexterm" name="id361816"></a> - Replace the <em class="parameter"><code>smbpasswd</code></em> with <em class="parameter"><code>tdbsam</code></em> in the - <em class="parameter"><code>passdb backend</code></em> configuration in <code class="filename">smb.conf</code>. - </p></li></ol></div></div></div></div><div class="sect1" title="Password Backends"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id361852"></a>Password Backends</h2></div></div></div><p> -<a class="indexterm" name="id361860"></a> -<a class="indexterm" name="id361867"></a> -Samba offers flexibility in backend account database design. The flexibility is immediately obvious as one -begins to explore this capability. Recent changes to Samba (since 3.0.23) have removed the mulitple backend -feature in order to simplify problems that broke some installations. This removal has made the internal -operation of Samba-3 more consistent and predictable. -</p><p> -<a class="indexterm" name="id361880"></a> -<a class="indexterm" name="id361887"></a> -Beginning with Samba 3.0.23 it is no longer possible to specify use of mulitple passdb backends. Earlier -versions of Samba-3 made it possible to specify multiple password backends, and even multiple -backends of the same type. The multiple passdb backend capability caused many problems with name to SID and -SID to name ID resolution. The Samba team wrestled with the challenges and decided that this feature needed -to be removed. -</p><div class="sect2" title="Plaintext"><div class="titlepage"><div><div><h3 class="title"><a name="id361898"></a>Plaintext</h3></div></div></div><p> -<a class="indexterm" name="id361906"></a> -<a class="indexterm" name="id361913"></a> -<a class="indexterm" name="id361920"></a> -<a class="indexterm" name="id361926"></a> -<a class="indexterm" name="id361933"></a> -<a class="indexterm" name="id361940"></a> - Older versions of Samba retrieved user information from the UNIX user database - and eventually some other fields from the file <code class="filename">/etc/samba/smbpasswd</code> - or <code class="filename">/etc/smbpasswd</code>. When password encryption is disabled, no - SMB-specific data is stored at all. Instead, all operations are conducted via the way - that the Samba host OS will access its <code class="filename">/etc/passwd</code> database. - On most Linux systems, for example, all user and group resolution is done via PAM. - </p></div><div class="sect2" title="smbpasswd: Encrypted Password Database"><div class="titlepage"><div><div><h3 class="title"><a name="id361970"></a>smbpasswd: Encrypted Password Database</h3></div></div></div><p> - <a class="indexterm" name="id361978"></a> -<a class="indexterm" name="id361987"></a> -<a class="indexterm" name="id361994"></a> -<a class="indexterm" name="id362001"></a> - Traditionally, when configuring <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords = yes</a> - in Samba's <code class="filename">smb.conf</code> file, user account information such as username, LM/NT password hashes, - password change times, and account flags have been stored in the <code class="filename">smbpasswd(5)</code> - file. There are several disadvantages to this approach for sites with large numbers of users - (counted in the thousands). - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id362040"></a> - The first problem is that all lookups must be performed sequentially. Given that - there are approximately two lookups per domain logon (one during initial logon validation - and one for a session connection setup, such as when mapping a network drive or printer), this - is a performance bottleneck for large sites. What is needed is an indexed approach - such as that used in databases. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id362054"></a> -<a class="indexterm" name="id362061"></a> -<a class="indexterm" name="id362068"></a> -<a class="indexterm" name="id362074"></a> -<a class="indexterm" name="id362081"></a> - The second problem is that administrators who desire to replicate an smbpasswd file - to more than one Samba server are left to use external tools such as - <code class="literal">rsync(1)</code> and <code class="literal">ssh(1)</code> and write custom, - in-house scripts. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id362106"></a> -<a class="indexterm" name="id362113"></a> -<a class="indexterm" name="id362119"></a> -<a class="indexterm" name="id362126"></a> -<a class="indexterm" name="id362133"></a> - Finally, the amount of information that is stored in an smbpasswd entry leaves - no room for additional attributes such as a home directory, password expiration time, - or even a relative identifier (RID). - </p></li></ul></div><p> -<a class="indexterm" name="id362148"></a> -<a class="indexterm" name="id362155"></a> -<a class="indexterm" name="id362162"></a> -<a class="indexterm" name="id362169"></a> - As a result of these deficiencies, a more robust means of storing user attributes - used by smbd was developed. The API that defines access to user accounts - is commonly referred to as the samdb interface (previously, this was called the passdb - API and is still so named in the Samba source code trees). - </p><p> -<a class="indexterm" name="id362181"></a> -<a class="indexterm" name="id362188"></a> -<a class="indexterm" name="id362195"></a> -<a class="indexterm" name="id362202"></a> -<a class="indexterm" name="id362209"></a> - Samba provides an enhanced set of passdb backends that overcome the deficiencies - of the smbpasswd plaintext database. These are tdbsam and ldapsam. - Of these, ldapsam will be of most interest to large corporate or enterprise sites. - </p></div><div class="sect2" title="tdbsam"><div class="titlepage"><div><div><h3 class="title"><a name="id362220"></a>tdbsam</h3></div></div></div><p> - <a class="indexterm" name="id362228"></a> -<a class="indexterm" name="id362237"></a> -<a class="indexterm" name="id362246"></a> - Samba can store user and machine account data in a <span class="quote">“<span class="quote">TDB</span>”</span> (trivial database). - Using this backend does not require any additional configuration. This backend is - recommended for new installations that do not require LDAP. - </p><p> -<a class="indexterm" name="id362261"></a> -<a class="indexterm" name="id362268"></a> -<a class="indexterm" name="id362274"></a> -<a class="indexterm" name="id362281"></a> - As a general guide, the Samba Team does not recommend using the tdbsam backend for sites - that have 250 or more users. Additionally, tdbsam is not capable of scaling for use - in sites that require PDB/BDC implementations that require replication of the account - database. Clearly, for reason of scalability, the use of ldapsam should be encouraged. - </p><p> -<a class="indexterm" name="id362294"></a> -<a class="indexterm" name="id362301"></a> -<a class="indexterm" name="id362308"></a> - The recommendation of a 250-user limit is purely based on the notion that this - would generally involve a site that has routed networks, possibly spread across - more than one physical location. The Samba Team has not at this time established - the performance-based scalability limits of the tdbsam architecture. - </p><p> -<a class="indexterm" name="id362320"></a> -<a class="indexterm" name="id362327"></a> -<a class="indexterm" name="id362334"></a> -<a class="indexterm" name="id362341"></a> - There are sites that have thousands of users and yet require only one server. - One site recently reported having 4,500 user accounts on one UNIX system and - reported excellent performance with the <code class="literal">tdbsam</code> passdb backend. - The limitation of where the <code class="literal">tdbsam</code> passdb backend can be used - is not one pertaining to a limitation in the TDB storage system, it is based - only on the need for a reliable distribution mechanism for the SambaSAMAccount - backend. - </p></div><div class="sect2" title="ldapsam"><div class="titlepage"><div><div><h3 class="title"><a name="id362365"></a>ldapsam</h3></div></div></div><p> -<a class="indexterm" name="id362373"></a> -<a class="indexterm" name="id362380"></a> - <a class="indexterm" name="id362387"></a> - There are a few points to stress that the ldapsam does not provide. The LDAP - support referred to in this documentation does not include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A means of retrieving user account information from - a Windows 200x Active Directory server.</p></li><li class="listitem"><p>A means of replacing /etc/passwd.</p></li></ul></div><p> -<a class="indexterm" name="id362414"></a> -<a class="indexterm" name="id362420"></a> -<a class="indexterm" name="id362427"></a> -<a class="indexterm" name="id362433"></a> - The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be - obtained from <a class="ulink" href="http://www.padl.com/" target="_top">PADL Software</a>. More information about the - configuration of these packages may be found in <a class="ulink" href="http://safari.oreilly.com/?XmlId=1-56592-491-6" target="_top"> - <span class="emphasis"><em>LDAP, System Administration</em></span> by Gerald Carter, Chapter 6, Replacing NIS"</a>. - </p><p> -<a class="indexterm" name="id362460"></a> -<a class="indexterm" name="id362467"></a> -<a class="indexterm" name="id362474"></a> - This document describes how to use an LDAP directory for storing Samba user - account information traditionally stored in the smbpasswd(5) file. It is - assumed that the reader already has a basic understanding of LDAP concepts - and has a working directory server already installed. For more information - on LDAP architectures and directories, please refer to the following sites: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="ulink" href="http://www.openldap.org/" target="_top">OpenLDAP</a></p></li><li class="listitem"><p><a class="ulink" href="http://www.sun.com/software/products/directory_srvr_ee/index.xml" target="_top"> - Sun One Directory Server</a></p></li><li class="listitem"><p><a class="ulink" href="http://www.novell.com/products/edirectory/" target="_top">Novell eDirectory</a></p></li><li class="listitem"><p><a class="ulink" href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">IBM - Tivoli Directory Server</a></p></li><li class="listitem"><p><a class="ulink" href="http://www.redhat.com/software/rha/directory/" target="_top">Red Hat Directory - Server</a></p></li><li class="listitem"><p><a class="ulink" href="http://www.linuxsecurity.com/content/view/119229" target="_top">Fedora Directory - Server</a></p></li></ul></div><p> - Two additional Samba resources that may prove to be helpful are: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id362547"></a> - The <a class="ulink" href="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html" target="_top">Samba-PDC-LDAP-HOWTO</a> - maintained by Ignacio Coupeau. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id362565"></a> -<a class="indexterm" name="id362572"></a> -<a class="indexterm" name="id362578"></a> - The NT migration scripts from <a class="ulink" href="http://samba.idealx.org/" target="_top">IDEALX</a> that are - geared to manage users and groups in such a Samba-LDAP domain controller configuration. - Idealx also produced the smbldap-tools and the Interactive Console Management tool. - </p></li></ul></div><div class="sect3" title="Supported LDAP Servers"><div class="titlepage"><div><div><h4 class="title"><a name="id362595"></a>Supported LDAP Servers</h4></div></div></div><p> -<a class="indexterm" name="id362603"></a> -<a class="indexterm" name="id362610"></a> -<a class="indexterm" name="id362617"></a> -<a class="indexterm" name="id362624"></a> - The LDAP ldapsam code was developed and tested using the OpenLDAP 2.x server and - client libraries. The same code should work with Netscape's Directory Server and client SDK. - However, there are bound to be compile errors and bugs. These should not be hard to fix. - Please submit fixes via the process outlined in <a class="link" href="bugreport.html" title="Chapter 40. Reporting Bugs">Reporting Bugs</a>. - </p><p> - Samba is capable of working with any standards-compliant LDAP server. - </p></div><div class="sect3" title="Schema and Relationship to the RFC 2307 posixAccount"><div class="titlepage"><div><div><h4 class="title"><a name="id362646"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div></div><p> - Samba-3.0 includes the necessary schema file for OpenLDAP 2.x in the - <code class="filename">examples/LDAP/samba.schema</code> directory of the source code distribution - tarball. The schema entry for the sambaSamAccount ObjectClass is shown here: -</p><pre class="programlisting"> -ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY - DESC 'Samba-3.0 Auxiliary SAM Account' - MUST ( uid $ sambaSID ) - MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ - sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ - sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ - displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ - sambaProfilePath $ description $ sambaUserWorkstations $ - sambaPrimaryGroupSID $ sambaDomainName )) -</pre><p> - </p><p> -<a class="indexterm" name="id362676"></a> -<a class="indexterm" name="id362682"></a> -<a class="indexterm" name="id362689"></a> - The <code class="filename">samba.schema</code> file has been formatted for OpenLDAP 2.0/2.1. - The Samba Team owns the OID space used by the above schema and recommends its use. - If you translate the schema to be used with Netscape DS, please submit the modified - schema file as a patch to <a class="ulink" href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>. - </p><p> -<a class="indexterm" name="id362714"></a> -<a class="indexterm" name="id362720"></a> -<a class="indexterm" name="id362727"></a> -<a class="indexterm" name="id362734"></a> -<a class="indexterm" name="id362741"></a> -<a class="indexterm" name="id362748"></a> -<a class="indexterm" name="id362754"></a> - Just as the smbpasswd file is meant to store information that provides information - additional to a user's <code class="filename">/etc/passwd</code> entry, so is the sambaSamAccount - object meant to supplement the UNIX user account information. A sambaSamAccount is an - <code class="constant">AUXILIARY</code> ObjectClass, so it can be used to augment existing - user account information in the LDAP directory, thus providing information needed - for Samba account handling. However, there are several fields (e.g., uid) that overlap - with the posixAccount ObjectClass outlined in RFC 2307. This is by design. - </p><p> -<a class="indexterm" name="id362778"></a> -<a class="indexterm" name="id362785"></a> -<a class="indexterm" name="id362792"></a> -<a class="indexterm" name="id362799"></a> -<a class="indexterm" name="id362806"></a> -<a class="indexterm" name="id362812"></a> -<a class="indexterm" name="id362819"></a> -<a class="indexterm" name="id362826"></a> -<a class="indexterm" name="id362833"></a> - In order to store all user account information (UNIX and Samba) in the directory, - it is necessary to use the sambaSamAccount and posixAccount ObjectClasses in - combination. However, <code class="literal">smbd</code> will still obtain the user's UNIX account - information via the standard C library calls, such as getpwnam(). - This means that the Samba server must also have the LDAP NSS library installed - and functioning correctly. This division of information makes it possible to - store all Samba account information in LDAP, but still maintain UNIX account - information in NIS while the network is transitioning to a full LDAP infrastructure. - </p></div><div class="sect3" title="OpenLDAP Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id362853"></a>OpenLDAP Configuration</h4></div></div></div><p> -<a class="indexterm" name="id362860"></a> -<a class="indexterm" name="id362867"></a> -<a class="indexterm" name="id362874"></a> -<a class="indexterm" name="id362881"></a> - To include support for the sambaSamAccount object in an OpenLDAP directory - server, first copy the samba.schema file to slapd's configuration directory. - The samba.schema file can be found in the directory <code class="filename">examples/LDAP</code> - in the Samba source distribution. -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cp samba.schema /etc/openldap/schema/</code></strong> -</pre><p> - </p><p> -<a class="indexterm" name="id362915"></a> -<a class="indexterm" name="id362922"></a> -<a class="indexterm" name="id362928"></a> -<a class="indexterm" name="id362935"></a> -<a class="indexterm" name="id362942"></a> -<a class="indexterm" name="id362948"></a> -<a class="indexterm" name="id362955"></a> -<a class="indexterm" name="id362962"></a> - Next, include the <code class="filename">samba.schema</code> file in <code class="filename">slapd.conf</code>. - The sambaSamAccount object contains two attributes that depend on other schema - files. The <em class="parameter"><code>uid</code></em> attribute is defined in <code class="filename">cosine.schema</code> and - the <em class="parameter"><code>displayName</code></em> attribute is defined in the <code class="filename">inetorgperson.schema</code> - file. Both of these must be included before the <code class="filename">samba.schema</code> file. -</p><pre class="programlisting"> -## /etc/openldap/slapd.conf - -## schema files (core.schema is required by default) -include /etc/openldap/schema/core.schema - -## needed for sambaSamAccount -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema -include /etc/openldap/schema/samba.schema -.... -</pre><p> - </p><p> -<a class="indexterm" name="id363024"></a> -<a class="indexterm" name="id363031"></a> -<a class="indexterm" name="id363038"></a> -<a class="indexterm" name="id363044"></a> - It is recommended that you maintain some indices on some of the most useful attributes, - as in the following example, to speed up searches made on sambaSamAccount ObjectClasses - (and possibly posixAccount and posixGroup as well): - </p><p> -</p><pre class="programlisting"> -# Indices to maintain -## required by OpenLDAP -index objectclass eq - -index cn pres,sub,eq -index sn pres,sub,eq -## required to support pdb_getsampwnam -index uid pres,sub,eq -## required to support pdb_getsambapwrid() -index displayName pres,sub,eq - -## uncomment these if you are storing posixAccount and -## posixGroup entries in the directory as well -##index uidNumber eq -##index gidNumber eq -##index memberUid eq - -index sambaSID eq -index sambaPrimaryGroupSID eq -index sambaDomainName eq -index default sub -</pre><p> -</p><p> - Create the new index by executing: -</p><pre class="screen"> -<code class="prompt">root# </code>./sbin/slapindex -f slapd.conf -</pre><p> - </p><p> - Remember to restart slapd after making these changes: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/etc/init.d/slapd restart</code></strong> -</pre><p> - </p></div><div class="sect3" title="Initialize the LDAP Database"><div class="titlepage"><div><div><h4 class="title"><a name="id363105"></a>Initialize the LDAP Database</h4></div></div></div><p> -<a class="indexterm" name="id363113"></a> -<a class="indexterm" name="id363120"></a> -<a class="indexterm" name="id363126"></a> -<a class="indexterm" name="id363133"></a> - Before you can add accounts to the LDAP database, you must create the account containers - that they will be stored in. The following LDIF file should be modified to match your - needs (DNS entries, and so on): -</p><pre class="programlisting"> -# Organization for Samba Base -dn: dc=quenya,dc=org -objectclass: dcObject -objectclass: organization -dc: quenya -o: Quenya Org Network -description: The Samba-3 Network LDAP Example - -# Organizational Role for Directory Management -dn: cn=Manager,dc=quenya,dc=org -objectclass: organizationalRole -cn: Manager -description: Directory Manager - -# Setting up container for Users OU -dn: ou=People,dc=quenya,dc=org -objectclass: top -objectclass: organizationalUnit -ou: People - -# Setting up admin handle for People OU -dn: cn=admin,ou=People,dc=quenya,dc=org -cn: admin -objectclass: top -objectclass: organizationalRole -objectclass: simpleSecurityObject -userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz - -# Setting up container for groups -dn: ou=Groups,dc=quenya,dc=org -objectclass: top -objectclass: organizationalUnit -ou: Groups - -# Setting up admin handle for Groups OU -dn: cn=admin,ou=Groups,dc=quenya,dc=org -cn: admin -objectclass: top -objectclass: organizationalRole -objectclass: simpleSecurityObject -userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz - -# Setting up container for computers -dn: ou=Computers,dc=quenya,dc=org -objectclass: top -objectclass: organizationalUnit -ou: Computers - -# Setting up admin handle for Computers OU -dn: cn=admin,ou=Computers,dc=quenya,dc=org -cn: admin -objectclass: top -objectclass: organizationalRole -objectclass: simpleSecurityObject -userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz -</pre><p> - </p><p> -<a class="indexterm" name="id363162"></a> -<a class="indexterm" name="id363169"></a> - The userPassword shown above should be generated using <code class="literal">slappasswd</code>. - </p><p> -<a class="indexterm" name="id363186"></a> -<a class="indexterm" name="id363192"></a> - The following command will then load the contents of the LDIF file into the LDAP - database. -<a class="indexterm" name="id363200"></a> -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>slapadd -v -l initldap.dif</code></strong> -</pre><p> - </p><p> - Do not forget to secure your LDAP server with an adequate access control list - as well as an admin password. - </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id363231"></a> - Before Samba can access the LDAP server, you need to store the LDAP admin password - in the Samba-3 <code class="filename">secrets.tdb</code> database by: -<a class="indexterm" name="id363245"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -w <em class="replaceable"><code>secret</code></em></code></strong> -</pre><p> - </p></div></div><div class="sect3" title="Configuring Samba"><div class="titlepage"><div><div><h4 class="title"><a name="id363272"></a>Configuring Samba</h4></div></div></div><p> -<a class="indexterm" name="id363280"></a> -<a class="indexterm" name="id363287"></a> - The following parameters are available in <code class="filename">smb.conf</code> only if your version of Samba was built with - LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are found. The - best method to verify that Samba was built with LDAP support is: -</p><pre class="screen"> -<code class="prompt">root# </code> smbd -b | grep LDAP - HAVE_LDAP_H - HAVE_LDAP - HAVE_LDAP_DOMAIN2HOSTLIST - HAVE_LDAP_INIT - HAVE_LDAP_INITIALIZE - HAVE_LDAP_SET_REBIND_PROC - HAVE_LIBLDAP - LDAP_SET_REBIND_PROC_ARGS -</pre><p> - If the build of the <code class="literal">smbd</code> command you are using does not produce output - that includes <code class="literal">HAVE_LDAP_H</code> it is necessary to discover why the LDAP headers - and libraries were not found during compilation. - </p><p>LDAP-related smb.conf options include these: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id363337"></a><em class="parameter"><code>passdb backend = ldapsam:url</code></em></td></tr><tr><td><a class="indexterm" name="id363349"></a></td></tr><tr><td><a class="indexterm" name="id363356"></a></td></tr><tr><td><a class="indexterm" name="id363363"></a></td></tr><tr><td><a class="indexterm" name="id363369"></a></td></tr><tr><td><a class="indexterm" name="id363376"></a></td></tr><tr><td><a class="indexterm" name="id363383"></a></td></tr><tr><td><a class="indexterm" name="id363390"></a></td></tr><tr><td><a class="indexterm" name="id363397"></a></td></tr><tr><td><a class="indexterm" name="id363403"></a></td></tr><tr><td><a class="indexterm" name="id363410"></a></td></tr><tr><td><a class="indexterm" name="id363417"></a></td></tr><tr><td><a class="indexterm" name="id363424"></a></td></tr><tr><td><a class="indexterm" name="id363431"></a></td></tr></table><p> - </p><p> - These are described in the <code class="filename">smb.conf</code> man page and so are not repeated here. However, an example - for use with an LDAP directory is shown in <a class="link" href="passdb.html#confldapex" title="Example 11.2. Configuration with LDAP">the Configuration with LDAP.</a> - </p><div class="example"><a name="confldapex"></a><p class="title"><b>Example 11.2. Configuration with LDAP</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id363480"></a><em class="parameter"><code>security = user</code></em></td></tr><tr><td><a class="indexterm" name="id363492"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr><tr><td><a class="indexterm" name="id363503"></a><em class="parameter"><code>netbios name = MORIA</code></em></td></tr><tr><td><a class="indexterm" name="id363515"></a><em class="parameter"><code>workgroup = NOLDOR</code></em></td></tr><tr><td># LDAP related parameters:</td></tr><tr><td># Define the DN used when binding to the LDAP servers.</td></tr><tr><td># The password for this DN is not stored in smb.conf</td></tr><tr><td># Set it using 'smbpasswd -w secret' to store the</td></tr><tr><td># passphrase in the secrets.tdb file.</td></tr><tr><td># If the "ldap admin dn" value changes, it must be reset.</td></tr><tr><td><a class="indexterm" name="id363548"></a><em class="parameter"><code>ldap admin dn = "cn=Manager,dc=quenya,dc=org"</code></em></td></tr><tr><td># SSL directory connections can be configured by:</td></tr><tr><td># ('off', 'start tls', or 'on' (default))</td></tr><tr><td><a class="indexterm" name="id363568"></a><em class="parameter"><code>ldap ssl = start tls</code></em></td></tr><tr><td># syntax: passdb backend = ldapsam:ldap://server-name[:port]</td></tr><tr><td><a class="indexterm" name="id363583"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://frodo.quenya.org</code></em></td></tr><tr><td># smbpasswd -x delete the entire dn-entry</td></tr><tr><td><a class="indexterm" name="id363598"></a><em class="parameter"><code>ldap delete dn = no</code></em></td></tr><tr><td># The machine and user suffix are added to the base suffix</td></tr><tr><td># wrote WITHOUT quotes. NULL suffixes by default</td></tr><tr><td><a class="indexterm" name="id363618"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id363629"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id363641"></a><em class="parameter"><code>ldap machine suffix = ou=Computers</code></em></td></tr><tr><td># Trust UNIX account information in LDAP</td></tr><tr><td># (see the smb.conf man page for details)</td></tr><tr><td># Specify the base DN to use when searching the directory</td></tr><tr><td><a class="indexterm" name="id363664"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" title="Accounts and Groups Management"><div class="titlepage"><div><div><h4 class="title"><a name="id363677"></a>Accounts and Groups Management</h4></div></div></div><p> - <a class="indexterm" name="id363685"></a> - <a class="indexterm" name="id363692"></a> - Because user accounts are managed through the sambaSamAccount ObjectClass, you should - modify your existing administration tools to deal with sambaSamAccount attributes. - </p><p> -<a class="indexterm" name="id363706"></a> -<a class="indexterm" name="id363713"></a> -<a class="indexterm" name="id363720"></a> - Machine accounts are managed with the sambaSamAccount ObjectClass, just - like user accounts. However, it is up to you to store those accounts - in a different tree of your LDAP namespace. You should use - <span class="quote">“<span class="quote">ou=Groups,dc=quenya,dc=org</span>”</span> to store groups and - <span class="quote">“<span class="quote">ou=People,dc=quenya,dc=org</span>”</span> to store users. Just configure your - NSS and PAM accordingly (usually, in the <code class="filename">/etc/openldap/sldap.conf</code> - configuration file). - </p><p> -<a class="indexterm" name="id363746"></a> -<a class="indexterm" name="id363753"></a> -<a class="indexterm" name="id363760"></a> -<a class="indexterm" name="id363766"></a> - In Samba-3, the group management system is based on POSIX - groups. This means that Samba makes use of the posixGroup ObjectClass. - For now, there is no NT-like group system management (global and local - groups). Samba-3 knows only about <code class="constant">Domain Groups</code> - and, unlike MS Windows 2000 and Active Directory, Samba-3 does not - support nested groups. - </p></div><div class="sect3" title="Security and sambaSamAccount"><div class="titlepage"><div><div><h4 class="title"><a name="id363782"></a>Security and sambaSamAccount</h4></div></div></div><p> -<a class="indexterm" name="id363790"></a> - There are two important points to remember when discussing the security - of sambaSAMAccount entries in the directory. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>Never</em></span> retrieve the SambaLMPassword or -<a class="indexterm" name="id363807"></a> - SambaNTPassword attribute values over an unencrypted LDAP session.</p></li><li class="listitem"><p><span class="emphasis"><em>Never</em></span> allow non-admin users to - view the SambaLMPassword or SambaNTPassword attribute values.</p></li></ul></div><p> -<a class="indexterm" name="id363826"></a> -<a class="indexterm" name="id363833"></a> -<a class="indexterm" name="id363840"></a> - These password hashes are clear-text equivalents and can be used to impersonate - the user without deriving the original clear-text strings. For more information - on the details of LM/NT password hashes, refer to <a class="link" href="passdb.html" title="Chapter 11. Account Information Databases">the - Account Information Database section</a>. - </p><p> -<a class="indexterm" name="id363859"></a> -<a class="indexterm" name="id363866"></a> -<a class="indexterm" name="id363872"></a> -<a class="indexterm" name="id363879"></a> - To remedy the first security issue, the <a class="link" href="smb.conf.5.html#LDAPSSL" target="_top">ldap ssl</a> <code class="filename">smb.conf</code> - parameter defaults to require an encrypted session (<a class="link" href="smb.conf.5.html#LDAPSSL" target="_top">ldap ssl = on</a>) using the default port of <code class="constant">636</code> when - contacting the directory server. When using an OpenLDAP server, it - is possible to use the StartTLS LDAP extended operation in the place of LDAPS. - In either case, you are strongly encouraged to use secure communications protocols - (so do not set <a class="link" href="smb.conf.5.html#LDAPSSL" target="_top">ldap ssl = off</a>). - </p><p> -<a class="indexterm" name="id363935"></a> -<a class="indexterm" name="id363942"></a> -<a class="indexterm" name="id363948"></a> - Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS - extended operation. However, the OpenLDAP library still provides support for - the older method of securing communication between clients and servers. - </p><p> -<a class="indexterm" name="id363961"></a> -<a class="indexterm" name="id363968"></a> -<a class="indexterm" name="id363974"></a> - The second security precaution is to prevent non-administrative users from - harvesting password hashes from the directory. This can be done using the - following ACL in <code class="filename">slapd.conf</code>: - </p><p> -</p><pre class="programlisting"> -## allow the "ldap admin dn" access, but deny everyone else -access to attrs=SambaLMPassword,SambaNTPassword - by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write - by * none -</pre><p> -</p></div><div class="sect3" title="LDAP Special Attributes for sambaSamAccounts"><div class="titlepage"><div><div><h4 class="title"><a name="id364001"></a>LDAP Special Attributes for sambaSamAccounts</h4></div></div></div><p> The sambaSamAccount ObjectClass is composed of the attributes shown in next tables: <a class="link" href="passdb.html#attribobjclPartA" title="Table 11.3. Attributes in the sambaSamAccount ObjectClass (LDAP), Part A">Part A</a>, and <a class="link" href="passdb.html#attribobjclPartB" title="Table 11.4. Attributes in the sambaSamAccount ObjectClass (LDAP), Part B">Part B</a>. - </p><div class="table"><a name="attribobjclPartA"></a><p class="title"><b>Table 11.3. Attributes in the sambaSamAccount ObjectClass (LDAP), Part A</b></p><div class="table-contents"><table summary="Attributes in the sambaSamAccount ObjectClass (LDAP), Part A" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><code class="constant">sambaLMPassword</code></td><td align="justify">The LanMan password 16-byte hash stored as a character - representation of a hexadecimal string.</td></tr><tr><td align="left"><code class="constant">sambaNTPassword</code></td><td align="justify">The NT password 16-byte hash stored as a character - representation of a hexadecimal string.</td></tr><tr><td align="left"><code class="constant">sambaPwdLastSet</code></td><td align="justify">The integer time in seconds since 1970 when the - <code class="constant">sambaLMPassword</code> and <code class="constant">sambaNTPassword</code> attributes were last set. - </td></tr><tr><td align="left"><code class="constant">sambaAcctFlags</code></td><td align="justify">String of 11 characters surrounded by square brackets [ ] - representing account flags such as U (user), W (workstation), X (no password expiration), - I (domain trust account), H (home dir required), S (server trust account), - and D (disabled).</td></tr><tr><td align="left"><code class="constant">sambaLogonTime</code></td><td align="justify">Integer value currently unused.</td></tr><tr><td align="left"><code class="constant">sambaLogoffTime</code></td><td align="justify">Integer value currently unused.</td></tr><tr><td align="left"><code class="constant">sambaKickoffTime</code></td><td align="justify">Specifies the time (UNIX time format) when the user - will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire. - Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to - expire completely on an exact date.</td></tr><tr><td align="left"><code class="constant">sambaPwdCanChange</code></td><td align="justify">Specifies the time (UNIX time format) - after which the user is allowed to change his password. If this attribute is not set, the user will be free - to change his password whenever he wants.</td></tr><tr><td align="left"><code class="constant">sambaPwdMustChange</code></td><td align="justify">Specifies the time (UNIX time format) when the user is - forced to change his password. If this value is set to 0, the user will have to change his password at first login. - If this attribute is not set, then the password will never expire.</td></tr><tr><td align="left"><code class="constant">sambaHomeDrive</code></td><td align="justify">Specifies the drive letter to which to map the - UNC path specified by sambaHomePath. The drive letter must be specified in the form <span class="quote">“<span class="quote">X:</span>”</span> - where X is the letter of the drive to map. Refer to the <span class="quote">“<span class="quote">logon drive</span>”</span> parameter in the - smb.conf(5) man page for more information.</td></tr><tr><td align="left"><code class="constant">sambaLogonScript</code></td><td align="justify">The sambaLogonScript property specifies the path of - the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path - is relative to the netlogon share. Refer to the <a class="link" href="smb.conf.5.html#LOGONSCRIPT" target="_top">logon script</a> parameter in the - <code class="filename">smb.conf</code> man page for more information.</td></tr><tr><td align="left"><code class="constant">sambaProfilePath</code></td><td align="justify">Specifies a path to the user's profile. - This value can be a null string, a local absolute path, or a UNC path. Refer to the - <a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path</a> parameter in the <code class="filename">smb.conf</code> man page for more information.</td></tr><tr><td align="left"><code class="constant">sambaHomePath</code></td><td align="justify">The sambaHomePath property specifies the path of - the home directory for the user. The string can be null. If sambaHomeDrive is set and specifies - a drive letter, sambaHomePath should be a UNC path. The path must be a network - UNC path of the form <code class="filename">\\server\share\directory</code>. This value can be a null string. - Refer to the <code class="literal">logon home</code> parameter in the <code class="filename">smb.conf</code> man page for more information. - </td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="attribobjclPartB"></a><p class="title"><b>Table 11.4. Attributes in the sambaSamAccount ObjectClass (LDAP), Part B</b></p><div class="table-contents"><table summary="Attributes in the sambaSamAccount ObjectClass (LDAP), Part B" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><code class="constant">sambaUserWorkstations</code></td><td align="justify">Here you can give a comma-separated list of machines - on which the user is allowed to login. You may observe problems when you try to connect to a Samba domain member. - Because domain members are not in this list, the domain controllers will reject them. Where this attribute is omitted, - the default implies no restrictions. - </td></tr><tr><td align="left"><code class="constant">sambaSID</code></td><td align="justify">The security identifier(SID) of the user. - The Windows equivalent of UNIX UIDs.</td></tr><tr><td align="left"><code class="constant">sambaPrimaryGroupSID</code></td><td align="justify">The security identifier (SID) of the primary group - of the user.</td></tr><tr><td align="left"><code class="constant">sambaDomainName</code></td><td align="justify">Domain the user is part of.</td></tr></tbody></table></div></div><br class="table-break"><p> -<a class="indexterm" name="id364317"></a> -<a class="indexterm" name="id364324"></a> - The majority of these parameters are only used when Samba is acting as a PDC of - a domain (refer to <a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>, for details on - how to configure Samba as a PDC). The following four attributes - are only stored with the sambaSamAccount entry if the values are non-default values: - </p><div class="itemizedlist"><a class="indexterm" name="id364343"></a><a class="indexterm" name="id364350"></a><a class="indexterm" name="id364357"></a><a class="indexterm" name="id364364"></a><ul class="itemizedlist" type="disc"><li class="listitem"><p>sambaHomePath</p></li><li class="listitem"><p>sambaLogonScript</p></li><li class="listitem"><p>sambaProfilePath</p></li><li class="listitem"><p>sambaHomeDrive</p></li></ul></div><p> -<a class="indexterm" name="id364392"></a> -<a class="indexterm" name="id364399"></a> -<a class="indexterm" name="id364405"></a> - These attributes are only stored with the sambaSamAccount entry if - the values are non-default values. For example, assume MORIA has now been - configured as a PDC and that <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home = \\%L\%u</a> was defined in - its <code class="filename">smb.conf</code> file. When a user named <span class="quote">“<span class="quote">becky</span>”</span> logs on to the domain, - the <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home</a> string is expanded to \\MORIA\becky. - If the smbHome attribute exists in the entry <span class="quote">“<span class="quote">uid=becky,ou=People,dc=samba,dc=org</span>”</span>, - this value is used. However, if this attribute does not exist, then the value - of the <a class="link" href="smb.conf.5.html#LOGONHOME" target="_top">logon home</a> parameter is used in its place. Samba - will only write the attribute value to the directory entry if the value is - something other than the default (e.g., <code class="filename">\\MOBY\becky</code>). - </p></div><div class="sect3" title="Example LDIF Entries for a sambaSamAccount"><div class="titlepage"><div><div><h4 class="title"><a name="id364472"></a>Example LDIF Entries for a sambaSamAccount</h4></div></div></div><p> - The following is a working LDIF that demonstrates the use of the SambaSamAccount ObjectClass: -</p><pre class="programlisting"> -dn: uid=guest2, ou=People,dc=quenya,dc=org -sambaLMPassword: 878D8014606CDA29677A44EFA1353FC7 -sambaPwdMustChange: 2147483647 -sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-513 -sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE -sambaPwdLastSet: 1010179124 -sambaLogonTime: 0 -objectClass: sambaSamAccount -uid: guest2 -sambaKickoffTime: 2147483647 -sambaAcctFlags: [UX ] -sambaLogoffTime: 2147483647 -sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5006 -sambaPwdCanChange: 0 -</pre><p> - </p><p> - The following is an LDIF entry for using both the sambaSamAccount and - posixAccount ObjectClasses: -</p><pre class="programlisting"> -dn: uid=gcarter, ou=People,dc=quenya,dc=org -sambaLogonTime: 0 -displayName: Gerald Carter -sambaLMPassword: 552902031BEDE9EFAAD3B435B51404EE -sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-1201 -objectClass: posixAccount -objectClass: sambaSamAccount -sambaAcctFlags: [UX ] -userPassword: {crypt}BpM2ej8Rkzogo -uid: gcarter -uidNumber: 9000 -cn: Gerald Carter -loginShell: /bin/bash -logoffTime: 2147483647 -gidNumber: 100 -sambaKickoffTime: 2147483647 -sambaPwdLastSet: 1010179230 -sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5004 -homeDirectory: /home/moria/gcarter -sambaPwdCanChange: 0 -sambaPwdMustChange: 2147483647 -sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 -</pre><p> - </p></div><div class="sect3" title="Password Synchronization"><div class="titlepage"><div><div><h4 class="title"><a name="id364508"></a>Password Synchronization</h4></div></div></div><p> - Samba-3 and later can update the non-Samba (LDAP) password stored with an account. When - using pam_ldap, this allows changing both UNIX and Windows passwords at once. - </p><p>The <a class="link" href="smb.conf.5.html#LDAPPASSWDSYNC" target="_top">ldap passwd sync</a> options can have the values shown in - <a class="link" href="passdb.html#ldappwsync" title="Table 11.5. Possible ldap passwd sync Values">Possible <span class="emphasis"><em>ldap passwd sync</em></span> Values</a>.</p><div class="table"><a name="ldappwsync"></a><p class="title"><b>Table 11.5. Possible <em class="parameter"><code>ldap passwd sync</code></em> Values</b></p><div class="table-contents"><table summary="Possible ldap passwd sync Values" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Value</th><th align="center">Description</th></tr></thead><tbody><tr><td align="left">yes</td><td align="justify"><p>When the user changes his password, update - <code class="constant">SambaNTPassword</code>, <code class="constant">SambaLMPassword</code>, - and the <code class="constant">password</code> fields.</p></td></tr><tr><td align="left">no</td><td align="justify"><p>Only update <code class="constant">SambaNTPassword</code> and - <code class="constant">SambaLMPassword</code>.</p></td></tr><tr><td align="left">only</td><td align="justify"><p>Only update the LDAP password and let the LDAP server - worry about the other fields. This option is only available on some LDAP servers and - only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD.</p></td></tr></tbody></table></div></div><br class="table-break"><p>More information can be found in the <code class="filename">smb.conf</code> man page.</p></div><div class="sect3" title="Using OpenLDAP Overlay for Password Synchronization"><div class="titlepage"><div><div><h4 class="title"><a name="id364654"></a>Using OpenLDAP Overlay for Password Synchronization</h4></div></div></div><p> - Howard Chu has written a special overlay called <code class="literal">smbk5pwd</code>. This tool modifies the - <code class="literal">SambaNTPassword</code>, <code class="literal">SambaLMPassword</code> and <code class="literal">Heimdal</code> - hashes in an OpenLDAP entry when an LDAP_EXOP_X_MODIFY_PASSWD operation is performed. - </p><p> - The overlay is shipped with OpenLDAP-2.3 and can be found in the - <code class="filename">contrib/slapd-modules/smbk5pwd</code> subdirectory. This module can also be used with - OpenLDAP-2.2. - </p></div></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id364701"></a>Common Errors</h2></div></div></div><div class="sect2" title="Users Cannot Logon"><div class="titlepage"><div><div><h3 class="title"><a name="id364707"></a>Users Cannot Logon</h3></div></div></div><p><span class="quote">“<span class="quote">I've installed Samba, but now I can't log on with my UNIX account! </span>”</span></p><p>Make sure your user has been added to the current Samba <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>. - Read the <a class="link" href="passdb.html#acctmgmttools" title="Account Management Tools">Account Management Tools</a> for details.</p></div><div class="sect2" title="Configuration of auth methods"><div class="titlepage"><div><div><h3 class="title"><a name="id364741"></a>Configuration of <em class="parameter"><code>auth methods</code></em></h3></div></div></div><p> - When explicitly setting an <a class="link" href="smb.conf.5.html#AUTHMETHODS" target="_top">auth methods</a> parameter, - <em class="parameter"><code>guest</code></em> must be specified as the first entry on the line - for example, <a class="link" href="smb.conf.5.html#AUTHMETHODS" target="_top">auth methods = guest sam</a>. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. Network Browsing </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Group Mapping: MS Windows and UNIX</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pr01.html b/docs/htmldocs/Samba3-HOWTO/pr01.html deleted file mode 100644 index 79e2dca3f3..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/pr01.html +++ /dev/null @@ -1,30 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>About the Cover Artwork</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="next" href="pr02.html" title="Attribution"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">About the Cover Artwork</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr></table><hr></div><div lang="en-US" class="preface" title="About the Cover Artwork"><div class="titlepage"><div><div><h2 class="title"><a name="id281790"></a>About the Cover Artwork</h2></div></div></div><p> - The cover artwork of this book continues the freedom theme of the first edition of <span class="quote">“<span class="quote">The Official Samba-3 - HOWTO and Reference Guide</span>”</span>. We may look back upon the past to question the motives of those who have - gone before us. Seldom do we realise that the past owes us no answer, and despite what we may think of the - actions of those who have travelled lifes' road before us, we must feel a sense of pride and gratitude for - those who, in the past, have protected our liberties. - </p><p> - Developments in information technology continue to move at an alarming pace. Human nature causes us - to adopt and embrace new developments that appear to answer the needs of the moment, but that can entrap - us at a future date. There are many examples in the short history of information technology. MS-DOS was - seen as a tool that liberated users from the tyrany of large computer system operating costs, and that - made possible the rapid progres we are beneficiaries of today. Yet today we are inclined to look back with - disdain on MS-DOS as an obsolete and constraining technology that belongs are an era that is best - forgotten. - </p><p> - The embrace of Windows networking, Windows NT4, and MS Active Directory in more recent times, may seem - modern and progressive today, but sooner or later something better will replace them. The current - preoccupation with extended identity management solutions and with directories is not unexpected. - The day will come that these too will be evaluated, and what may seem refreshing and powerful may - be better recogized as the chilly winds of the night. To argue against progress is unthinkable, - no matter what may lie ahead. - </p><p> - The development of Samba is moving forwards. The changes since Samba 3.0.0 are amazing, yet many - users would like to see more and faster progress. The benefits of recent developments can be realized - quickly, but documentation is necessary to unlock the pandoras' box. It is our hope that this book - will help the network administrator to rapidly deploy the new features with minimum effort. As you - deploy and gain mileage from the new enablement, take the time to think through what may lie ahead. - Above all, take stock of the freedom of choice that Samba provides in your world, and enjoy the new - potential for seamless interoperability. - </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">The Official Samba 3.5.x HOWTO and Reference Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Attribution</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pr02.html b/docs/htmldocs/Samba3-HOWTO/pr02.html deleted file mode 100644 index 151f6382dd..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/pr02.html +++ /dev/null @@ -1,95 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Attribution</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="pr01.html" title="About the Cover Artwork"><link rel="next" href="pr03.html" title="Foreword"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Attribution</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr></table><hr></div><div class="preface" title="Attribution"><div class="titlepage"><div><div><h2 class="title"><a name="id281836"></a>Attribution</h2></div></div></div><p><a class="link" href="install.html" title="Chapter 1. How to Install and Test SAMBA">How to Install and Test SAMBA</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Karl Auer<a class="ulink" href="mailto:kauer@biplane.com.au" target="_top">mailto:kauer@biplane.com.au</a></p></li><li class="listitem"><p>Dan Shearer<a class="ulink" href="mailto:dan@samba.org" target="_top">mailto:dan@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="FastStart.html" title="Chapter 2. Fast Start: Cure for Impatience">Fast Start: Cure for Impatience</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="ServerType.html" title="Chapter 3. Server Types and Security Modes">Server Types and Security Modes</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li><li class="listitem"><p>David Bannon<a class="ulink" href="mailto:dbannon@samba.org" target="_top">mailto:dbannon@samba.org</a></p></li><li class="listitem"><p>Guenther Deschner<a class="ulink" href="mailto:gd@samba.org" target="_top">mailto:gd@samba.org</a> (LDAP updates) </p></li></ul></div><p> -</p><p><a class="link" href="samba-bdc.html" title="Chapter 5. Backup Domain Control">Backup Domain Control</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Volker Lendecke<a class="ulink" href="mailto:Volker.Lendecke@SerNet.DE" target="_top">mailto:Volker.Lendecke@SerNet.DE</a></p></li><li class="listitem"><p>Guenther Deschner<a class="ulink" href="mailto:gd@samba.org" target="_top">mailto:gd@samba.org</a> (LDAP updates) </p></li></ul></div><p> -</p><p><a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Jeremy Allison<a class="ulink" href="mailto:jra@samba.org" target="_top">mailto:jra@samba.org</a></p></li><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>Guenther Deschner<a class="ulink" href="mailto:gd@samba.org" target="_top">mailto:gd@samba.org</a> (LDAP updates) </p></li></ul></div><p> -</p><p><a class="link" href="StandAloneServer.html" title="Chapter 7. Standalone Servers">Standalone Servers</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="ClientConfig.html" title="Chapter 8. MS Windows Network Configuration Guide">MS Windows Network Configuration Guide</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="ChangeNotes.html" title="Chapter 9. Important and Critical Change Notes for the Samba 3.x Series">Important and Critical Change Notes for the Samba 3.x Series</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>Jonathan Johnson<a class="ulink" href="mailto:jon@sutinen.com" target="_top">mailto:jon@sutinen.com</a></p></li></ul></div><p> -</p><p><a class="link" href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li><li class="listitem"><p>Jeremy Allison<a class="ulink" href="mailto:jra@samba.org" target="_top">mailto:jra@samba.org</a></p></li><li class="listitem"><p>Guenther Deschner<a class="ulink" href="mailto:gd@samba.org" target="_top">mailto:gd@samba.org</a> (LDAP updates) </p></li><li class="listitem"><p>Olivier (lem) Lemaire<a class="ulink" href="mailto:olem@IDEALX.org" target="_top">mailto:olem@IDEALX.org</a></p></li></ul></div><p> -</p><p><a class="link" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">Group Mapping: MS Windows and UNIX</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Jean François Micouleau</p></li><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command">Remote and Local Management: The Net Command</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Volker Lendecke<a class="ulink" href="mailto:Volker.Lendecke@SerNet.DE" target="_top">mailto:Volker.Lendecke@SerNet.DE</a></p></li><li class="listitem"><p>Guenther Deschner<a class="ulink" href="mailto:gd@samba.org" target="_top">mailto:gd@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)">Identity Mapping (IDMAP)</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="rights.html" title="Chapter 15. User Rights and Privileges">User Rights and Privileges</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">File, Directory, and Share Access Controls</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Jeremy Allison<a class="ulink" href="mailto:jra@samba.org" target="_top">mailto:jra@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a> (drawing) </p></li></ul></div><p> -</p><p><a class="link" href="locking.html" title="Chapter 17. File and Record Locking">File and Record Locking</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jeremy Allison<a class="ulink" href="mailto:jra@samba.org" target="_top">mailto:jra@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Eric Roseme<a class="ulink" href="mailto:eric.roseme@hp.com" target="_top">mailto:eric.roseme@hp.com</a></p></li></ul></div><p> -</p><p><a class="link" href="securing-samba.html" title="Chapter 18. Securing Samba">Securing Samba</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="InterdomainTrusts.html" title="Chapter 19. Interdomain Trust Relationships">Interdomain Trust Relationships</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Rafal Szczesniak<a class="ulink" href="mailto:mimir@samba.org" target="_top">mailto:mimir@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a> (drawing) </p></li><li class="listitem"><p>Stephen Langasek<a class="ulink" href="mailto:vorlon@netexpress.net" target="_top">mailto:vorlon@netexpress.net</a></p></li></ul></div><p> -</p><p><a class="link" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree">Hosting a Microsoft Distributed File System Tree</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Shirish Kalele<a class="ulink" href="mailto:samba@samba.org" target="_top">mailto:samba@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="classicalprinting.html" title="Chapter 21. Classical Printing Support">Classical Printing Support</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Kurt Pfeifle<a class="ulink" href="mailto:kpfeifle@danka.de" target="_top">mailto:kpfeifle@danka.de</a></p></li><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support">CUPS Printing Support</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Kurt Pfeifle<a class="ulink" href="mailto:kpfeifle@danka.de" target="_top">mailto:kpfeifle@danka.de</a></p></li><li class="listitem"><p>Ciprian Vizitiu<a class="ulink" href="mailto:CVizitiu@gbif.org" target="_top">mailto:CVizitiu@gbif.org</a> (drawings) </p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a> (drawings) </p></li></ul></div><p> -</p><p><a class="link" href="VFS.html" title="Chapter 23. Stackable VFS modules">Stackable VFS modules</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Tim Potter<a class="ulink" href="mailto:tpot@samba.org" target="_top">mailto:tpot@samba.org</a></p></li><li class="listitem"><p>Simo Sorce (original vfs_skel README) </p></li><li class="listitem"><p>Alexander Bokovoy (original vfs_netatalk docs) </p></li><li class="listitem"><p>Stefan Metzmacher (Update for multiple modules) </p></li><li class="listitem"><p>Ed Riddle (original shadow_copy docs) </p></li></ul></div><p> -</p><p><a class="link" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Tim Potter<a class="ulink" href="mailto:tpot@linuxcare.com.au" target="_top">mailto:tpot@linuxcare.com.au</a></p></li><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li><li class="listitem"><p>Naag Mummaneni<a class="ulink" href="mailto:getnag@rediffmail.com" target="_top">mailto:getnag@rediffmail.com</a> (Notes for Solaris) </p></li><li class="listitem"><p>John Trostel<a class="ulink" href="mailto:jtrostel@snapserver.com" target="_top">mailto:jtrostel@snapserver.com</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management">Advanced Network Management</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account Policies</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management">Desktop Profile Management</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication">PAM-Based Distributed Authentication</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Stephen Langasek<a class="ulink" href="mailto:vorlon@netexpress.net" target="_top">mailto:vorlon@netexpress.net</a></p></li></ul></div><p> -</p><p><a class="link" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba">Integrating MS Windows Networks with Samba</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="unicode.html" title="Chapter 30. Unicode/Charsets">Unicode/Charsets</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>TAKAHASHI Motonobu<a class="ulink" href="mailto:monyo@home.monyo.com" target="_top">mailto:monyo@home.monyo.com</a> (Japanese character support) </p></li></ul></div><p> -</p><p><a class="link" href="Backup.html" title="Chapter 31. Backup Techniques">Backup Techniques</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="SambaHA.html" title="Chapter 32. High Availability">High Availability</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Jeremy Allison<a class="ulink" href="mailto:jra@samba.org" target="_top">mailto:jra@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="largefile.html" title="Chapter 33. Handling Large Directories">Handling Large Directories</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jeremy Allison<a class="ulink" href="mailto:jra@samba.org" target="_top">mailto:jra@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="cfgsmarts.html" title="Chapter 34. Advanced Configuration Techniques">Advanced Configuration Techniques</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="upgrading-to-3.0.html" title="Chapter 35. Updating and Upgrading Samba">Updating and Upgrading Samba</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="NT4Migration.html" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC">Migration from NT4 PDC to Samba-3 PDC</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool">SWAT: The Samba Web Administration Tool</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="diagnosis.html" title="Chapter 38. The Samba Checklist">The Samba Checklist</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>Dan Shearer<a class="ulink" href="mailto:dan@samba.org" target="_top">mailto:dan@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="problems.html" title="Chapter 39. Analyzing and Solving Samba Problems">Analyzing and Solving Samba Problems</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Gerald (Jerry) Carter<a class="ulink" href="mailto:jerry@samba.org" target="_top">mailto:jerry@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>David Bannon<a class="ulink" href="mailto:dbannon@samba.org" target="_top">mailto:dbannon@samba.org</a></p></li><li class="listitem"><p>Dan Shearer<a class="ulink" href="mailto:dan@samba.org" target="_top">mailto:dan@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="bugreport.html" title="Chapter 40. Reporting Bugs">Reporting Bugs</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="tdb.html" title="Chapter 41. Managing TDB Files">Managing TDB Files</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="compiling.html" title="Chapter 42. How to Compile Samba">How to Compile Samba</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Andrew Tridgell<a class="ulink" href="mailto:tridge@samba.org" target="_top">mailto:tridge@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="Portability.html" title="Chapter 43. Portability">Portability</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="Other-Clients.html" title="Chapter 44. Samba and Other CIFS Clients">Samba and Other CIFS Clients</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li><li class="listitem"><p>Dan Shearer<a class="ulink" href="mailto:dan@samba.org" target="_top">mailto:dan@samba.org</a></p></li><li class="listitem"><p>Jim McDonough<a class="ulink" href="mailto:jmcd@us.ibm.com" target="_top">mailto:jmcd@us.ibm.com</a> (OS/2) </p></li></ul></div><p> -</p><p><a class="link" href="speed.html" title="Chapter 45. Samba Performance Tuning">Samba Performance Tuning</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Paul Cochrane<a class="ulink" href="mailto:paulc@dth.scot.nhs.uk" target="_top">mailto:paulc@dth.scot.nhs.uk</a></p></li><li class="listitem"><p>Jelmer R. Vernooij<a class="ulink" href="mailto:jelmer@samba.org" target="_top">mailto:jelmer@samba.org</a></p></li><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p><p><a class="link" href="ch-ldap-tls.html" title="Chapter 46. LDAP and Transport Layer Security">LDAP and Transport Layer Security</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Gavin Henry<a class="ulink" href="mailto:ghenry@suretecsystems.com" target="_top">mailto:ghenry@suretecsystems.com</a></p></li></ul></div><p> -</p><p><a class="link" href="DNSDHCP.html" title="Chapter 48. DNS and DHCP Configuration Guide">DNS and DHCP Configuration Guide</a> - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>John H. Terpstra<a class="ulink" href="mailto:jht@samba.org" target="_top">mailto:jht@samba.org</a></p></li></ul></div><p> -</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">About the Cover Artwork </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Foreword</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/pr03.html b/docs/htmldocs/Samba3-HOWTO/pr03.html deleted file mode 100644 index 728cc2c6d4..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/pr03.html +++ /dev/null @@ -1,54 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Foreword</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="pr02.html" title="Attribution"><link rel="next" href="TOSHpreface.html" title="Preface"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Foreword</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="TOSHpreface.html">Next</a></td></tr></table><hr></div><div class="preface" title="Foreword"><div class="titlepage"><div><div><h2 class="title"><a name="id323466"></a>Foreword</h2></div></div></div><p> -When John first asked me to write an introductory piece for his latest book, I was somewhat mystified as to -why he chose me. A conversation with John provided some of the rationale, and he left it to me to fill in the -<span class="emphasis"><em>rest</em></span> of the story. So, if you are willing to endure a little bit of background, I will -provide the part of the story that John wouldn't provide. -</p><p> -I am the Director of Corporate Standards at Sun Microsystems, and manage Sun's standards portfolio. Before -that, I was the Director of Standards at Netscape, which was when I met John. Before Sun, there was Digital -Equipment Corporation, also standards. I've written several books on standards, and tend to observe (and -occasionally help) the technical and business trends that drive standardization as a discipline. I tend to see -standardization as a management tool, not as a technical discipline and this is part of the rationale that -John provided. -</p><p> -The book that you have before you focuses on a particular standardized way of doing something hence, it is a -book about a standard. The most important thing to keep in mind about a standard is the rationale for its -creation. Standards are created not for technical reasons, not for business reasons, but for a deeper and much -more compelling reason. Standards are created and used to allow people to communicate in a meaningful way. -Every standard, if it is a true standard, has as its entire (and only) goal set the increasing of relevant -communication between people. -</p><p> -This primary goal cannot be met however, unless the standard is documented. I have been involved in too many -standardization efforts when it became apparent that <span class="emphasis"><em>everybody knows</em></span> was the dominant -emotion of those providing documentation. <span class="emphasis"><em>They</em></span> of the ever present <span class="emphasis"><em>they -say</em></span> and <span class="emphasis"><em>they know</em></span> are the bane of good standards. If <span class="emphasis"><em>they -know</em></span>, why are you doing a standard? -</p><p> -A <span class="emphasis"><em>good standard</em></span> survives because people know how to use it. People know how to use a -standard when it is so transparent, so obvious, and so easy that it becomes invisible. And a standard becomes -invisible only when the documentation describing how to deploy it is clear, unambiguous, and correct. These -three elements must be present for a standard to be useful, allowing communication and interaction between two -separate and distinct entities to occur without obvious effort. As you read this book, look for the evidence -of these three characteristics and notice how they are seamlessly woven into John's text. Clarity and -unambiguity without <span class="emphasis"><em>correctness</em></span> provide a technical nightmare. Correctness and clarity -with ambiguity create <span class="emphasis"><em>maybe bits,</em></span> and correctness and unambiguity without clarity provide -a <span class="emphasis"><em>muddle through</em></span> scenario. -</p><p> -And this is <span class="emphasis"><em>the rest of the story</em></span> that John couldn't (or wouldn't) bring himself to -state. This book provides a clear, concise, unambiguous, and technically valid presentation of Samba to make -it useful to a user to someone who wants to use the standard to increase communication and the capability -for communication between two or more entities whether person-machine, machine-machine, or person-person. -The intent of this book is not to convince anyone of any agenda political, technical, or social. The intent -is to provide documentation for users who need to know about Samba, how to use it, and how to get on with -their primary responsibilities. While there is pride on John's part because of the tremendous success of -the Samba documentation, he writes for the person who needs a tool to accomplish a particular job, and who has -selected Samba to be that tool. -</p><p> -The book is a monument to John's perseverance and dedication to Samba and in my opinion to the goal of -standardization. By writing this book, John has provided the users of Samba those that want to deploy it to -make things better a clear, easy, and ultimately valuable resource. Additionally, he has increased the -understanding and utility of a highly useful standard, and for this, as much as for the documentation, he is -owed a debt of gratitude by those of us who rely on standards to make our lives more manageable. -</p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td>Carl Cargill, Senior Director</td></tr><tr><td>Corporate Standardization, The Office of the CTO</td></tr><tr><td>Sun Microsystems</td></tr></table><p> -</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="TOSHpreface.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Attribution </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Preface</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/problems.html b/docs/htmldocs/Samba3-HOWTO/problems.html deleted file mode 100644 index d2e2399cdc..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/problems.html +++ /dev/null @@ -1,174 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 39. Analyzing and Solving Samba Problems</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="prev" href="diagnosis.html" title="Chapter 38. The Samba Checklist"><link rel="next" href="bugreport.html" title="Chapter 40. Reporting Bugs"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 39. Analyzing and Solving Samba Problems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 39. Analyzing and Solving Samba Problems"><div class="titlepage"><div><div><h2 class="title"><a name="problems"></a>Chapter 39. Analyzing and Solving Samba Problems</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:dbannon@samba.org">dbannon@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:dan@samba.org">dan@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">8 Apr 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="problems.html#id446780">Diagnostics Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="problems.html#id446829">Debugging with Samba Itself</a></span></dt><dt><span class="sect2"><a href="problems.html#id447073">Tcpdump</a></span></dt><dt><span class="sect2"><a href="problems.html#id447122">Ethereal</a></span></dt><dt><span class="sect2"><a href="problems.html#id447261">The Windows Network Monitor</a></span></dt></dl></dd><dt><span class="sect1"><a href="problems.html#id447567">Useful URLs</a></span></dt><dt><span class="sect1"><a href="problems.html#id447602">Getting Mailing List Help</a></span></dt><dt><span class="sect1"><a href="problems.html#id447756">How to Get Off the Mailing Lists</a></span></dt></dl></div><p> -<a class="indexterm" name="id446757"></a> -<a class="indexterm" name="id446764"></a> -<a class="indexterm" name="id446770"></a> -There are many sources of information available in the form of mailing lists, RFCs, and documentation. The -documentation that comes with the Samba distribution contains good explanations of general SMB topics such as -browsing. -</p><div class="sect1" title="Diagnostics Tools"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id446780"></a>Diagnostics Tools</h2></div></div></div><p> -<a class="indexterm" name="id446788"></a> -<a class="indexterm" name="id446795"></a> -<a class="indexterm" name="id446802"></a> -<a class="indexterm" name="id446808"></a> -<a class="indexterm" name="id446815"></a> -With SMB networking, it is often not immediately clear what the cause is of a certain problem. Samba itself -provides rather useful information, but in some cases you might have to fall back to using a -<span class="emphasis"><em>sniffer</em></span>. A sniffer is a program that listens on your LAN, analyzes the data sent on it, -and displays it on the screen. -</p><div class="sect2" title="Debugging with Samba Itself"><div class="titlepage"><div><div><h3 class="title"><a name="id446829"></a>Debugging with Samba Itself</h3></div></div></div><p> -<a class="indexterm" name="id446837"></a> -<a class="indexterm" name="id446844"></a> -<a class="indexterm" name="id446851"></a> -<a class="indexterm" name="id446858"></a> -<a class="indexterm" name="id446864"></a> -<a class="indexterm" name="id446871"></a> -<a class="indexterm" name="id446878"></a> -One of the best diagnostic tools for debugging problems is Samba itself. You can use the <code class="option">-d -option</code> for both <span class="application">smbd</span> and <span class="application">nmbd</span> to specify the <a class="link" href="smb.conf.5.html#DEBUGLEVEL" target="_top">debug level</a> at which to run. -See the man pages for <code class="literal">smbd, nmbd</code>, and <code class="filename">smb.conf</code> for more information regarding debugging -options. The debug level (log level) can range from 1 (the default) to 10 (100 for debugging passwords). -</p><p> -<a class="indexterm" name="id446929"></a> -<a class="indexterm" name="id446936"></a> -<a class="indexterm" name="id446943"></a> -<a class="indexterm" name="id446950"></a> -<a class="indexterm" name="id446957"></a> -<a class="indexterm" name="id446963"></a> -<a class="indexterm" name="id446970"></a> -Another helpful method of debugging is to compile Samba using the <code class="literal">gcc -g </code> flag. This will -include debug information in the binaries and allow you to attach <code class="literal">gdb</code> to the running -<code class="literal">smbd/nmbd</code> process. To attach <code class="literal">gdb</code> to an <code class="literal">smbd</code> process -for an NT workstation, first get the workstation to make the connection. Pressing ctrl-alt-delete and going -down to the domain box is sufficient (at least, the first time you join the domain) to generate a -<em class="parameter"><code>LsaEnumTrustedDomains</code></em>. Thereafter, the workstation maintains an open connection and -there will be an smbd process running (assuming that you haven't set a really short smbd idle timeout). So, in -between pressing <code class="literal">ctrl-alt-delete</code> and actually typing in your password, you can attach -<code class="literal">gdb</code> and continue. -</p><p> -Some useful Samba commands worth investigating are: -<a class="indexterm" name="id447032"></a> -<a class="indexterm" name="id447038"></a> -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>testparm | more</code></strong> -<code class="prompt">$ </code><strong class="userinput"><code>smbclient -L //{netbios name of server}</code></strong> -</pre><p> -</p></div><div class="sect2" title="Tcpdump"><div class="titlepage"><div><div><h3 class="title"><a name="id447073"></a>Tcpdump</h3></div></div></div><p> -<a class="indexterm" name="id447081"></a> -<a class="indexterm" name="id447088"></a> -<a class="indexterm" name="id447095"></a> -<a class="ulink" href="http://www.tcpdump.org/" target="_top">Tcpdump</a> was the first -UNIX sniffer with SMB support. It is a command-line utility and -now, its SMB support is somewhat lagging that of <code class="literal">ethereal</code> -and <code class="literal">tethereal</code>. -</p></div><div class="sect2" title="Ethereal"><div class="titlepage"><div><div><h3 class="title"><a name="id447122"></a>Ethereal</h3></div></div></div><p> -<a class="indexterm" name="id447130"></a> -<a class="ulink" href="http://www.ethereal.com/" target="_top">Ethereal</a> is a graphical sniffer, available for both UNIX (Gtk) -and Windows. Ethereal's SMB support is quite good. For details on the use of <code class="literal">ethereal</code>, read -the well-written Ethereal User Guide. -</p><div class="figure"><a name="ethereal1"></a><p class="title"><b>Figure 39.1. Starting a Capture.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ethereal1.png" alt="Starting a Capture."></div></div></div><br class="figure-break"><p> -<a class="indexterm" name="id447191"></a> -Listen for data on ports 137, 138, 139, and 445. For example, use the filter <strong class="userinput"><code>port 137, port 138, -port 139, or port 445</code></strong> as seen in <a class="link" href="problems.html#ethereal1" title="Figure 39.1. Starting a Capture.">Starting a Capture</a> snapshot. -</p><p> -A console version of ethereal is available as well and is called <code class="literal">tethereal</code>. -</p><div class="figure"><a name="ethereal2"></a><p class="title"><b>Figure 39.2. Main Ethereal Data Window.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ethereal2.png" alt="Main Ethereal Data Window."></div></div></div><br class="figure-break"></div><div class="sect2" title="The Windows Network Monitor"><div class="titlepage"><div><div><h3 class="title"><a name="id447261"></a>The Windows Network Monitor</h3></div></div></div><p> -<a class="indexterm" name="id447269"></a> -<a class="indexterm" name="id447276"></a> -<a class="indexterm" name="id447283"></a> -<a class="indexterm" name="id447290"></a> -<a class="indexterm" name="id447296"></a> -<a class="indexterm" name="id447303"></a> -For tracing things on Microsoft Windows NT, Network Monitor (aka Netmon) is available on Microsoft Developer -Network CDs, the Windows NT Server install CD, and the SMS CDs. The version of Netmon that ships with SMS -allows for dumping packets between any two computers (i.e., placing the network interface in promiscuous -mode). The version on the NT Server install CD will only allow monitoring of network traffic directed to the -local NT box and broadcasts on the local subnet. Be aware that Ethereal can read and write Netmon formatted -files. -</p><div class="sect3" title="Installing Network Monitor on an NT Workstation"><div class="titlepage"><div><div><h4 class="title"><a name="id447316"></a>Installing Network Monitor on an NT Workstation</h4></div></div></div><p> -<a class="indexterm" name="id447324"></a> -Installing Netmon on an NT workstation requires a couple of steps. The following are instructions for -installing Netmon V4.00.349, which comes with Microsoft Windows NT Server 4.0, on Microsoft Windows NT -Workstation 4.0. The process should be similar for other versions of Windows NT version of Netmon. You will -need both the Microsoft Windows NT Server 4.0 Install CD and the Workstation 4.0 Install CD. -</p><p> -<a class="indexterm" name="id447337"></a> -Initially you will need to install <span class="application">Network Monitor Tools and Agent</span> -on the NT Server to do this: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Go to <span class="guibutton">Start</span> -> <span class="guibutton">Settings</span> -> <span class="guibutton">Control Panel</span> -> - <span class="guibutton">Network</span> -> <span class="guibutton">Services</span> -> <span class="guibutton">Add</span>.</p></li><li class="listitem"><p>Select the <span class="guilabel">Network Monitor Tools and Agent</span> and click on <span class="guibutton">OK</span>.</p></li><li class="listitem"><p>Click on <span class="guibutton">OK</span> on the Network Control Panel.</p></li><li class="listitem"><p>Insert the Windows NT Server 4.0 install CD when prompted.</p></li></ul></div><p> -At this point, the Netmon files should exist in <code class="filename">%SYSTEMROOT%\System32\netmon\*.*</code>. -Two subdirectories exist as well: <code class="filename">parsers\</code>, which contains the necessary DLLs -for parsing the Netmon packet dump, and <code class="filename">captures\</code>. -</p><p> -To install the Netmon tools on an NT Workstation, you will first need to install the -Network Monitor Agent from the Workstation install CD. -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Go to <span class="guibutton">Start</span> -> <span class="guibutton">Settings</span> -> - <span class="guibutton">Control Panel</span> -> <span class="guibutton">Network</span> -> - <span class="guibutton">Services</span> -> <span class="guibutton">Add</span>.</p></li><li class="listitem"><p>Select the <span class="guilabel">Network Monitor Agent</span>, click on - <span class="guibutton">OK</span>.</p></li><li class="listitem"><p>Click on <span class="guibutton">OK</span> in the Network Control Panel. - </p></li><li class="listitem"><p>Insert the Windows NT Workstation 4.0 install CD when prompted.</p></li></ul></div><p> -Now copy the files from the NT Server in <code class="filename">%SYSTEMROOT%\System32\netmon</code> -to <code class="filename">%SYSTEMROOT%\System32\netmon</code> on the workstation and set permissions -as you deem appropriate for your site. You will need administrative rights on the NT box to run Netmon. -</p></div><div class="sect3" title="Installing Network Monitor on Windows 9x/Me"><div class="titlepage"><div><div><h4 class="title"><a name="id447546"></a>Installing Network Monitor on Windows 9x/Me</h4></div></div></div><p> -To install Netmon on Windows 9x/Me, install the Network Monitor Agent -from the Windows 9x/Me CD (<code class="filename">\admin\nettools\netmon</code>). -There is a readme file included with the Netmon driver files on the CD if you need -information on how to do this. Copy the files from a working Netmon installation. -</p></div></div></div><div class="sect1" title="Useful URLs"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id447567"></a>Useful URLs</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>See how Scott Merrill simulates a BDC behavior at - <a class="ulink" href="http://www.skippy.net/linux/smb-howto.html" target="_top"> - http://www.skippy.net/linux/smb-howto.html</a>. </p></li><li class="listitem"><p>FTP site for older SMB specs, - <a class="ulink" href="ftp://ftp.microsoft.com/developr/drg/CIFS/" target="_top"> - ftp://ftp.microsoft.com/developr/drg/CIFS/</a></p></li></ul></div></div><div class="sect1" title="Getting Mailing List Help"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id447602"></a>Getting Mailing List Help</h2></div></div></div><p> -There are a number of Samba-related mailing lists. Go to <a class="ulink" href="http://samba.org" target="_top">http://samba.org</a>, click on your nearest mirror, -and then click on <code class="literal">Support</code>. Next, click on <code class="literal"> -Samba-related mailing lists</code>. -</p><p> -For questions relating to Samba TNG, go to -<a class="ulink" href="http://www.samba-tng.org/" target="_top">http://www.samba-tng.org/</a>. -It has been requested that you do not post questions about Samba-TNG to the -mainstream Samba lists.</p><p> -If you do post a message to one of the lists, please observe the following guidelines: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id447654"></a> - Always remember that the developers are volunteers; they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any timelines are <span class="quote">“<span class="quote">best guess,</span>”</span> and nothing more. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id447670"></a> - Always mention what version of Samba you are using and what - operating system it's running under. You should list the relevant sections of - your <code class="filename">smb.conf</code> file, at least the options in <em class="parameter"><code>[global]</code></em> - that affect PDC support. - </p></li><li class="listitem"><p>In addition to the version, if you obtained Samba via - CVS, mention the date when you last checked it out.</p></li><li class="listitem"><p> Try to make your questions clear and brief. Lots of long, - convoluted questions get deleted before they are completely read! - Do not post HTML-encoded messages. Most people on mailing lists simply delete - them. - </p></li><li class="listitem"><p> If you run one of those nifty <span class="quote">“<span class="quote">I'm on holiday</span>”</span> things when - you are away, make sure its configured to not answer mailing list traffic. Autoresponses - to mailing lists really irritate the thousands of people who end up having to deal - with such bad netiquet bahavior. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id447716"></a> - Don't cross post. Work out which is the best list to post to - and see what happens. Do not post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone who thinks a message would be better dealt - with on another list will forward it on for you.</p></li><li class="listitem"><p>You might include <span class="emphasis"><em>partial</em></span> - log files written at a log level set to as much as 20. - Please do not send the entire log but just enough to give the context of the - error messages.</p></li><li class="listitem"><p>If you have a complete Netmon trace (from the opening of - the pipe to the error), you can send the *.CAP file as well.</p></li><li class="listitem"><p>Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The Samba - mailing lists go to a huge number of people. Do they all need a copy of your - <code class="filename">smb.conf</code> in their attach directory?</p></li></ul></div></div><div class="sect1" title="How to Get Off the Mailing Lists"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id447756"></a>How to Get Off the Mailing Lists</h2></div></div></div><p>To have your name removed from a Samba mailing list, go to the same -place where you went to -subscribe to it, go to <a class="ulink" href="http://lists.samba.org/" target="_top">http://lists.samba.org</a>, -click on your nearest mirror, click on <code class="literal">Support</code>, and -then click on <code class="literal">Samba-related mailing lists</code>. -</p><p> -Please do not post messages to the list asking to be removed. You will only -be referred to the above address (unless that process failed in some way). -</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 38. The Samba Checklist </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 40. Reporting Bugs</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/rights.html b/docs/htmldocs/Samba3-HOWTO/rights.html deleted file mode 100644 index 52d49fd53e..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/rights.html +++ /dev/null @@ -1,413 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. User Rights and Privileges</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"><link rel="next" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. User Rights and Privileges</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="idmapper.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 15. User Rights and Privileges"><div class="titlepage"><div><div><h2 class="title"><a name="rights"></a>Chapter 15. User Rights and Privileges</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="rights.html#id376570">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id376833">Using the <span class="quote">“<span class="quote">net rpc rights</span>”</span> Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id377149">Description of Privileges</a></span></dt><dt><span class="sect2"><a href="rights.html#id377439">Privileges Supported by Windows 2000 Domain Controllers</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id377883">The Administrator Domain SID</a></span></dt><dt><span class="sect1"><a href="rights.html#id378048">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id378053">What Rights and Privileges Will Permit Windows Client Administration?</a></span></dt></dl></dd></dl></div><p> -<a class="indexterm" name="id376313"></a> -<a class="indexterm" name="id376320"></a> -<a class="indexterm" name="id376326"></a> -<a class="indexterm" name="id376333"></a> -The administration of Windows user, group, and machine accounts in the Samba -domain-controlled network necessitates interfacing between the MS Windows -networking environment and the UNIX operating system environment. The right -(permission) to add machines to the Windows security domain can be assigned -(set) to non-administrative users both in Windows NT4 domains and -Active Directory domains. -</p><p> -<a class="indexterm" name="id376346"></a> -<a class="indexterm" name="id376353"></a> -<a class="indexterm" name="id376360"></a> -<a class="indexterm" name="id376367"></a> -The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the -creation of a machine account for each machine added. The machine account is -a necessity that is used to validate that the machine can be trusted to permit -user logons. -</p><p> -<a class="indexterm" name="id376379"></a> -<a class="indexterm" name="id376386"></a> -<a class="indexterm" name="id376393"></a> -<a class="indexterm" name="id376400"></a> -<a class="indexterm" name="id376406"></a> -<a class="indexterm" name="id376413"></a> -Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is -hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account. -Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a -<code class="literal">$</code> sign. An additional difference is that this type of account should not ever be able to -log into the UNIX environment as a system user and therefore is set to have a shell of -<code class="literal">/bin/false</code> and a home directory of <code class="literal">/dev/null.</code> The machine -account is used only to authenticate domain member machines during start-up. This security measure -is designed to block man-in-the-middle attempts to violate network integrity. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id376448"></a> -<a class="indexterm" name="id376454"></a> -<a class="indexterm" name="id376461"></a> -<a class="indexterm" name="id376468"></a> -<a class="indexterm" name="id376475"></a> -Machine (computer) accounts are used in the Windows NT OS family to store security -credentials for domain member servers and workstations. When the domain member -starts up, it goes through a validation process that includes an exchange of -credentials with a domain controller. If the domain member fails to authenticate -using the credentials known for it by domain controllers, the machine will be refused -all access by domain users. The computer account is essential to the way that MS -Windows secures authentication. -</p></div><p> -<a class="indexterm" name="id376489"></a> -<a class="indexterm" name="id376496"></a> -<a class="indexterm" name="id376503"></a> -<a class="indexterm" name="id376510"></a> -The creation of UNIX system accounts has traditionally been the sole right of -the system administrator, better known as the <code class="constant">root</code> account. -It is possible in the UNIX environment to create multiple users who have the -same UID. Any UNIX user who has a UID=0 is inherently the same as the -<code class="constant">root</code> account user. -</p><p> -<a class="indexterm" name="id376529"></a> -<a class="indexterm" name="id376536"></a> -<a class="indexterm" name="id376543"></a> -<a class="indexterm" name="id376550"></a> -All versions of Samba call system interface scripts that permit CIFS function -calls that are used to manage users, groups, and machine accounts -in the UNIX environment. All versions of Samba up to and including version 3.0.10 -required the use of a Windows administrator account that unambiguously maps to -the UNIX <code class="constant">root</code> account to permit the execution of these -interface scripts. The requirement to do this has understandably met with some -disdain and consternation among Samba administrators, particularly where it became -necessary to permit people who should not possess <code class="constant">root</code>-level -access to the UNIX host system. -</p><div class="sect1" title="Rights Management Capabilities"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id376570"></a>Rights Management Capabilities</h2></div></div></div><p> -<a class="indexterm" name="id376578"></a> -<a class="indexterm" name="id376585"></a> -<a class="indexterm" name="id376592"></a> -<a class="indexterm" name="id376598"></a> -Samba 3.0.11 introduced support for the Windows privilege model. This model -allows certain rights to be assigned to a user or group SID. In order to enable -this feature, <a class="link" href="smb.conf.5.html#ENABLEPRIVILEGES" target="_top">enable privileges = yes</a> -must be defined in the <em class="parameter"><code>global</code></em> section of the <code class="filename">smb.conf</code> file. -</p><p> -<a class="indexterm" name="id376634"></a> -<a class="indexterm" name="id376641"></a> -<a class="indexterm" name="id376648"></a> -Currently, the rights supported in Samba-3 are listed in <a class="link" href="rights.html#rp-privs" title="Table 15.1. Current Privilege Capabilities">“Current Privilege Capabilities”</a>. -The remainder of this chapter explains how to manage and use these privileges on Samba servers. -</p><a class="indexterm" name="id376664"></a><a class="indexterm" name="id376671"></a><a class="indexterm" name="id376678"></a><a class="indexterm" name="id376684"></a><a class="indexterm" name="id376691"></a><a class="indexterm" name="id376698"></a><div class="table"><a name="rp-privs"></a><p class="title"><b>Table 15.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="right"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="right"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="right"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="right"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="right"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="right"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr><tr><td align="right"><p>SeTakeOwnershipPrivilege</p></td><td align="left"><p>Take ownership of files or other objects</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" title="Using the “net rpc rights” Utility"><div class="titlepage"><div><div><h3 class="title"><a name="id376833"></a>Using the <span class="quote">“<span class="quote">net rpc rights</span>”</span> Utility</h3></div></div></div><p> -<a class="indexterm" name="id376844"></a> -<a class="indexterm" name="id376851"></a> -<a class="indexterm" name="id376858"></a> -<a class="indexterm" name="id376865"></a> -<a class="indexterm" name="id376871"></a> -There are two primary means of managing the rights assigned to users and groups -on a Samba server. The <code class="literal">NT4 User Manager for Domains</code> may be -used from any Windows NT4, 2000, or XP Professional domain member client to -connect to a Samba domain controller and view/modify the rights assignments. -This application, however, appears to have bugs when run on a client running -Windows 2000 or later; therefore, Samba provides a command-line utility for -performing the necessary administrative actions. -</p><p> -The <code class="literal">net rpc rights</code> utility in Samba 3.0.11 has three new subcommands: -</p><div class="variablelist"><dl><dt><span class="term">list [name|accounts]</span></dt><dd><p> -<a class="indexterm" name="id376909"></a> -<a class="indexterm" name="id376920"></a> -<a class="indexterm" name="id376927"></a> -<a class="indexterm" name="id376934"></a> - When called with no arguments, <code class="literal">net rpc list</code> - simply lists the available rights on the server. When passed - a specific user or group name, the tool lists the privileges - currently assigned to the specified account. When invoked using - the special string <code class="constant">accounts</code>, - <code class="literal">net rpc rights list</code> returns a list of all - privileged accounts on the server and the assigned rights. - </p></dd><dt><span class="term">grant <user> <right [right ...]></span></dt><dd><p> -<a class="indexterm" name="id376968"></a> -<a class="indexterm" name="id376975"></a> -<a class="indexterm" name="id376982"></a> -<a class="indexterm" name="id376989"></a> - When called with no arguments, this function is used to assign - a list of rights to a specified user or group. For example, - to grant the members of the Domain Admins group on a Samba domain controller, - the capability to add client machines to the domain, one would run: -</p><pre class="screen"> -<code class="prompt">root# </code> net -S server -U domadmin rpc rights grant \ - 'DOMAIN\Domain Admins' SeMachineAccountPrivilege -</pre><p> - The following syntax has the same result: -<a class="indexterm" name="id377011"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> net rpc rights grant 'DOMAIN\Domain Admins' \ - SeMachineAccountPrivilege -S server -U domadmin -</pre><p> - More than one privilege can be assigned by specifying a - list of rights separated by spaces. The parameter 'Domain\Domain Admins' - must be quoted with single ticks or using double-quotes to prevent - the backslash and the space from being interpreted by the system shell. - </p></dd><dt><span class="term">revoke <user> <right [right ...]></span></dt><dd><p> - This command is similar in format to <code class="literal">net rpc rights grant</code>. Its - effect is to remove an assigned right (or list of rights) from a user or group. - </p></dd></dl></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id377060"></a> -<a class="indexterm" name="id377067"></a> -<a class="indexterm" name="id377074"></a> -You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned -to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no -default rights and privileges, except the ability for a member of the Domain Admins group to assign them. -This means that all administrative rights and privileges (other than the ability to assign them) must be -explicitly assigned, even for the Domain Admins group. -</p></div><p> -<a class="indexterm" name="id377088"></a> -<a class="indexterm" name="id377095"></a> -<a class="indexterm" name="id377102"></a> -<a class="indexterm" name="id377108"></a> -By default, no privileges are initially assigned to any account because certain actions will be performed as -root once smbd determines that a user has the necessary rights. For example, when joining a client to a -Windows domain, <em class="parameter"><code>add machine script</code></em> must be executed with superuser rights in most -cases. For this reason, you should be very careful about handing out privileges to accounts. -</p><p> -<a class="indexterm" name="id377126"></a> -<a class="indexterm" name="id377133"></a> -<a class="indexterm" name="id377140"></a> -Access as the root user (UID=0) bypasses all privilege checks. -</p></div><div class="sect2" title="Description of Privileges"><div class="titlepage"><div><div><h3 class="title"><a name="id377149"></a>Description of Privileges</h3></div></div></div><p> -<a class="indexterm" name="id377157"></a> -<a class="indexterm" name="id377164"></a> -<a class="indexterm" name="id377171"></a> -The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that -additional privileges may be implemented in later releases of Samba. It is also likely that any privileges -currently implemented but not used may be removed from future releases as a housekeeping matter, so it is -important that the successful as well as unsuccessful use of these facilities should be reported on the Samba -mailing lists. -</p><div class="variablelist"><dl><dt><span class="term">SeAddUsersPrivilege</span></dt><dd><p> -<a class="indexterm" name="id377192"></a> -<a class="indexterm" name="id377199"></a> -<a class="indexterm" name="id377206"></a> - This right determines whether or not smbd will allow the - user to create new user or group accounts via such tools - as <code class="literal">net rpc user add</code> or - <code class="literal">NT4 User Manager for Domains.</code> - </p></dd><dt><span class="term">SeDiskOperatorPrivilege</span></dt><dd><p> -<a class="indexterm" name="id377236"></a> -<a class="indexterm" name="id377242"></a> -<a class="indexterm" name="id377249"></a> - Accounts that possess this right will be able to execute - scripts defined by the <code class="literal">add/delete/change</code> - share command in <code class="filename">smb.conf</code> file as root. Such users will - also be able to modify the ACL associated with file shares - on the Samba server. - </p></dd><dt><span class="term">SeMachineAccountPrivilege</span></dt><dd><p> -<a class="indexterm" name="id377279"></a> -<a class="indexterm" name="id377286"></a> -<a class="indexterm" name="id377293"></a> - This right controls whether or not the user can join client - machines to a Samba-controlled domain. - </p></dd><dt><span class="term">SePrintOperatorPrivilege</span></dt><dd><p> -<a class="indexterm" name="id377311"></a> -<a class="indexterm" name="id377318"></a> -<a class="indexterm" name="id377325"></a> -<a class="indexterm" name="id377332"></a> -<a class="indexterm" name="id377338"></a> - This privilege operates identically to the <a class="link" href="smb.conf.5.html#PRINTERADMIN" target="_top">printer admin</a> - option in the <code class="filename">smb.conf</code> file (see section 5 man page for <code class="filename">smb.conf</code>) - except that it is a global right (not on a per-printer basis). - Eventually the smb.conf option will be deprecated and administrative - rights to printers will be controlled exclusively by this right and - the security descriptor associated with the printer object in the - <code class="filename">ntprinters.tdb</code> file. - </p></dd><dt><span class="term">SeRemoteShutdownPrivilege</span></dt><dd><p> -<a class="indexterm" name="id377388"></a> -<a class="indexterm" name="id377395"></a> -<a class="indexterm" name="id377402"></a> - Samba provides two hooks for shutting down or rebooting - the server and for aborting a previously issued shutdown - command. Since this is an operation normally limited by - the operating system to the root user, an account must possess this - right to be able to execute either of these hooks. - </p></dd><dt><span class="term">SeTakeOwnershipPrivilege</span></dt><dd><p> -<a class="indexterm" name="id377421"></a> -<a class="indexterm" name="id377428"></a> - This right permits users to take ownership of files and directories. - </p></dd></dl></div></div><div class="sect2" title="Privileges Supported by Windows 2000 Domain Controllers"><div class="titlepage"><div><div><h3 class="title"><a name="id377439"></a>Privileges Supported by Windows 2000 Domain Controllers</h3></div></div></div><p> - For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following - privileges: -<a class="indexterm" name="id377448"></a> -<a class="indexterm" name="id377455"></a> -<a class="indexterm" name="id377462"></a> -<a class="indexterm" name="id377469"></a> -<a class="indexterm" name="id377476"></a> -<a class="indexterm" name="id377482"></a> -<a class="indexterm" name="id377489"></a> -<a class="indexterm" name="id377496"></a> -<a class="indexterm" name="id377503"></a> -<a class="indexterm" name="id377510"></a> -<a class="indexterm" name="id377517"></a> -<a class="indexterm" name="id377524"></a> -<a class="indexterm" name="id377530"></a> -<a class="indexterm" name="id377537"></a> -<a class="indexterm" name="id377544"></a> -<a class="indexterm" name="id377551"></a> -<a class="indexterm" name="id377558"></a> -<a class="indexterm" name="id377565"></a> -<a class="indexterm" name="id377572"></a> -<a class="indexterm" name="id377578"></a> -<a class="indexterm" name="id377585"></a> -<a class="indexterm" name="id377592"></a> -<a class="indexterm" name="id377599"></a> -</p><pre class="screen"> - SeCreateTokenPrivilege Create a token object - SeAssignPrimaryTokenPrivilege Replace a process level token - SeLockMemoryPrivilege Lock pages in memory - SeIncreaseQuotaPrivilege Increase quotas - SeMachineAccountPrivilege Add workstations to domain - SeTcbPrivilege Act as part of the operating system - SeSecurityPrivilege Manage auditing and security log - SeTakeOwnershipPrivilege Take ownership of files or other objects - SeLoadDriverPrivilege Load and unload device drivers - SeSystemProfilePrivilege Profile system performance - SeSystemtimePrivilege Change the system time -SeProfileSingleProcessPrivilege Profile single process -SeIncreaseBasePriorityPrivilege Increase scheduling priority - SeCreatePagefilePrivilege Create a pagefile - SeCreatePermanentPrivilege Create permanent shared objects - SeBackupPrivilege Back up files and directories - SeRestorePrivilege Restore files and directories - SeShutdownPrivilege Shut down the system - SeDebugPrivilege Debug programs - SeAuditPrivilege Generate security audits - SeSystemEnvironmentPrivilege Modify firmware environment values - SeChangeNotifyPrivilege Bypass traverse checking - SeRemoteShutdownPrivilege Force shutdown from a remote system -</pre><p> - And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges: -<a class="indexterm" name="id377636"></a> -<a class="indexterm" name="id377642"></a> -<a class="indexterm" name="id377649"></a> -<a class="indexterm" name="id377656"></a> -<a class="indexterm" name="id377663"></a> -<a class="indexterm" name="id377670"></a> -<a class="indexterm" name="id377677"></a> -<a class="indexterm" name="id377684"></a> -<a class="indexterm" name="id377690"></a> -<a class="indexterm" name="id377697"></a> -<a class="indexterm" name="id377704"></a> -<a class="indexterm" name="id377711"></a> -<a class="indexterm" name="id377718"></a> -<a class="indexterm" name="id377725"></a> -<a class="indexterm" name="id377732"></a> -<a class="indexterm" name="id377739"></a> -<a class="indexterm" name="id377746"></a> -<a class="indexterm" name="id377752"></a> -<a class="indexterm" name="id377759"></a> -<a class="indexterm" name="id377766"></a> -<a class="indexterm" name="id377773"></a> -<a class="indexterm" name="id377780"></a> -<a class="indexterm" name="id377786"></a> -<a class="indexterm" name="id377793"></a> -<a class="indexterm" name="id377800"></a> -<a class="indexterm" name="id377807"></a> -<a class="indexterm" name="id377814"></a> -<a class="indexterm" name="id377821"></a> -<a class="indexterm" name="id377828"></a> -</p><pre class="screen"> - SeCreateTokenPrivilege Create a token object - SeAssignPrimaryTokenPrivilege Replace a process level token - SeLockMemoryPrivilege Lock pages in memory - SeIncreaseQuotaPrivilege Increase quotas - SeMachineAccountPrivilege Add workstations to domain - SeTcbPrivilege Act as part of the operating system - SeSecurityPrivilege Manage auditing and security log - SeTakeOwnershipPrivilege Take ownership of files or other objects - SeLoadDriverPrivilege Load and unload device drivers - SeSystemProfilePrivilege Profile system performance - SeSystemtimePrivilege Change the system time -SeProfileSingleProcessPrivilege Profile single process -SeIncreaseBasePriorityPrivilege Increase scheduling priority - SeCreatePagefilePrivilege Create a pagefile - SeCreatePermanentPrivilege Create permanent shared objects - SeBackupPrivilege Back up files and directories - SeRestorePrivilege Restore files and directories - SeShutdownPrivilege Shut down the system - SeDebugPrivilege Debug programs - SeAuditPrivilege Generate security audits - SeSystemEnvironmentPrivilege Modify firmware environment values - SeChangeNotifyPrivilege Bypass traverse checking - SeRemoteShutdownPrivilege Force shutdown from a remote system - SeUndockPrivilege Remove computer from docking station - SeSyncAgentPrivilege Synchronize directory service data - SeEnableDelegationPrivilege Enable computer and user accounts to - be trusted for delegation - SeManageVolumePrivilege Perform volume maintenance tasks - SeImpersonatePrivilege Impersonate a client after authentication - SeCreateGlobalPrivilege Create global objects -</pre><p> -<a class="indexterm" name="id377871"></a> - The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux - environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX. - </p></div></div><div class="sect1" title="The Administrator Domain SID"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id377883"></a>The Administrator Domain SID</h2></div></div></div><p> -<a class="indexterm" name="id377890"></a> -<a class="indexterm" name="id377897"></a> -<a class="indexterm" name="id377904"></a> -<a class="indexterm" name="id377911"></a> -<a class="indexterm" name="id377918"></a> -Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions -commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges -(see <a class="link" href="rights.html" title="Chapter 15. User Rights and Privileges">User Rights and Privileges</a>). An account in the server's passdb backend can -be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain -controller, run the following command: -</p><pre class="screen"> -<code class="prompt">root# </code> net getlocalsid -SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 -</pre><p> -<a class="indexterm" name="id377947"></a> -You may assign the domain administrator RID to an account using the <code class="literal">pdbedit</code> -command as shown here: -<a class="indexterm" name="id377960"></a> -</p><pre class="screen"> -<code class="prompt">root# </code> pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r -</pre><p> -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id377983"></a> -<a class="indexterm" name="id377990"></a> -<a class="indexterm" name="id377997"></a> -<a class="indexterm" name="id378004"></a> -The RID 500 is the well known standard value of the default Administrator account. It is the RID -that confers the rights and privileges that the Administrator account has on a Windows machine -or domain. Under UNIX/Linux the equivalent is UID=0 (the root account). -</p></div><p> -<a class="indexterm" name="id378016"></a> -<a class="indexterm" name="id378023"></a> -<a class="indexterm" name="id378030"></a> -<a class="indexterm" name="id378037"></a> -Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account -provided equivalent rights and privileges have been established for a Windows user or a Windows -group account. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id378048"></a>Common Errors</h2></div></div></div><div class="sect2" title="What Rights and Privileges Will Permit Windows Client Administration?"><div class="titlepage"><div><div><h3 class="title"><a name="id378053"></a>What Rights and Privileges Will Permit Windows Client Administration?</h3></div></div></div><p> -<a class="indexterm" name="id378061"></a> -<a class="indexterm" name="id378068"></a> -<a class="indexterm" name="id378075"></a> -<a class="indexterm" name="id378082"></a> - When a Windows NT4 (or later) client joins a domain, the domain global <code class="literal">Domain Admins</code> group - is added to the membership of the local <code class="literal">Administrators</code> group on the client. Any user who is - a member of the domain global <code class="literal">Domain Admins</code> group will have administrative rights on the - Windows client. - </p><p> -<a class="indexterm" name="id378112"></a> -<a class="indexterm" name="id378118"></a> -<a class="indexterm" name="id378125"></a> -<a class="indexterm" name="id378132"></a> -<a class="indexterm" name="id378139"></a> - This is often not the most desirable solution because it means that the user will have administrative - rights and privileges on domain servers also. The <code class="literal">Power Users</code> group on Windows client - workstations permits local administration of the workstation alone. Any domain global user or domain global - group can be added to the membership of the local workstation group <code class="literal">Power Users</code>. - </p><p> -<a class="indexterm" name="id378164"></a> -<a class="indexterm" name="id378171"></a> -<a class="indexterm" name="id378178"></a> -<a class="indexterm" name="id378184"></a> - See <a class="link" href="NetCommand.html#nestedgrpmgmgt" title="Nested Group Support">Nested Group Support</a> for an example of how to add domain users - and groups to a local group that is on a Windows workstation. The use of the <code class="literal">net</code> - command permits this to be done from the Samba server. - </p><p> -<a class="indexterm" name="id378210"></a> -<a class="indexterm" name="id378216"></a> -<a class="indexterm" name="id378223"></a> - Another way this can be done is to log onto the Windows workstation as the user - <code class="literal">Administrator</code>, then open a <code class="literal">cmd</code> shell, then execute: -</p><pre class="screen"> -<code class="prompt">C:\> </code> net localgroup administrators /add <strong class="userinput"><code>domain_name\entity</code></strong> -</pre><p> - where <code class="literal">entity</code> is either a domain user or a domain group account name. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="idmapper.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Identity Mapping (IDMAP) </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. File, Directory, and Share Access Controls</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/samba-bdc.html b/docs/htmldocs/Samba3-HOWTO/samba-bdc.html deleted file mode 100644 index 07bc9b5482..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/samba-bdc.html +++ /dev/null @@ -1,557 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Backup Domain Control</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-pdc.html" title="Chapter 4. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 6. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 5. Backup Domain Control"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 5. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="samba-bdc.html#id336899">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-bdc.html#id337275">Essential Background Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id337967">LDAP Configuration Notes</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338300">Active Directory Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338437">How Does a Workstation find its Domain Controller?</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339066">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id339500">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339540">Machine Accounts Keep Expiring</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339736">Can I Do This All with LDAP?</a></span></dt></dl></dd></dl></div><p> -Before you continue reading this section, please make sure that you are comfortable -with configuring a Samba domain controller as described in <a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336899"></a>Features and Benefits</h2></div></div></div><p> -This is one of the most difficult chapters to summarize. It does not matter what we say here, for someone will -still draw conclusions and/or approach the Samba Team with expectations that are either not yet capable of -being delivered or that can be achieved far more effectively using a totally different approach. In the event -that you should have a persistent concern that is not addressed in this book, please email <a class="ulink" href="mailto:jht@samba.org" target="_top">John H. Terpstra</a> clearly setting out your requirements and/or question, and -we will do our best to provide a solution. -</p><p> -<a class="indexterm" name="id336921"></a> -<a class="indexterm" name="id336930"></a> -<a class="indexterm" name="id336936"></a> -<a class="indexterm" name="id336943"></a> -<a class="indexterm" name="id336952"></a> -Samba-3 can act as a Backup Domain Controller (BDC) to another Samba Primary Domain Controller (PDC). A -Samba-3 PDC can operate with an LDAP account backend. The LDAP backend can be either a common master LDAP -server or a slave server. The use of a slave LDAP server has the benefit that when the master is down, clients -may still be able to log onto the network. This effectively gives Samba a high degree of scalability and is -an effective solution for large organizations. If you use an LDAP slave server for a PDC, you will need to -ensure the master's continued availability if the slave finds its master down at the wrong time, -you will have stability and operational problems. -</p><p> -<a class="indexterm" name="id336971"></a> -<a class="indexterm" name="id336980"></a> -<a class="indexterm" name="id336989"></a> -<a class="indexterm" name="id336998"></a> -While it is possible to run a Samba-3 BDC with a non-LDAP backend, that backend must allow some form of -"two-way" propagation of changes from the BDC to the master. At this time only LDAP delivers the capability -to propagate identity database changes from the BDC to the PDC. The BDC can use a slave LDAP server, while it -is preferable for the PDC to use as its primary an LDAP master server. -</p><p> -<a class="indexterm" name="id337011"></a> -<a class="indexterm" name="id337020"></a> -<a class="indexterm" name="id337030"></a> -<a class="indexterm" name="id337041"></a> -<a class="indexterm" name="id337048"></a> -<a class="indexterm" name="id337054"></a> -<a class="indexterm" name="id337061"></a> -The use of a non-LDAP backend SAM database is particularly problematic because domain member -servers and workstations periodically change the Machine Trust Account password. The new -password is then stored only locally. This means that in the absence of a centrally stored -accounts database (such as that provided with an LDAP-based solution) if Samba-3 is running -as a BDC, the BDC instance of the domain member trust account password will not reach the -PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs, this results in -overwriting the SAM that contains the updated (changed) trust account password with resulting -breakage of the domain trust. -</p><p> -<a class="indexterm" name="id337077"></a> -<a class="indexterm" name="id337086"></a> -<a class="indexterm" name="id337095"></a> -<a class="indexterm" name="id337104"></a> -Considering the number of comments and questions raised concerning how to configure a BDC, -let's consider each possible option and look at the pros and cons for each possible solution. -<a class="link" href="samba-bdc.html#pdc-bdc-table" title="Table 5.1. Domain Backend Account Distribution Options">The Domain Backend Account Distribution Options table below</a> lists -possible design configurations for a PDC/BDC infrastructure. -</p><div class="table"><a name="pdc-bdc-table"></a><p class="title"><b>Table 5.1. Domain Backend Account Distribution Options</b></p><div class="table-contents"><table summary="Domain Backend Account Distribution Options" border="1"><colgroup><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="center">PDC Backend</th><th align="center">BDC Backend</th><th align="left">Notes/Discussion</th></tr></thead><tbody><tr><td align="center"><p>Master LDAP Server</p></td><td align="center"><p>Slave LDAP Server</p></td><td align="left"><p>The optimal solution that provides high integrity. The SAM will be - replicated to a common master LDAP server.</p></td></tr><tr><td align="center"><p>Single Central LDAP Server</p></td><td align="center"><p>Single Central LDAP Server</p></td><td align="left"><p> - A workable solution without failover ability. This is a usable solution, but not optimal. - </p></td></tr><tr><td align="center"><p>tdbsam</p></td><td align="center"><p>tdbsam + <code class="literal">net rpc vampire</code></p></td><td align="left"><p> - Does not work with Samba-3.0; Samba does not implement the - server-side protocols required. - </p></td></tr><tr><td align="center"><p>tdbsam</p></td><td align="center"><p>tdbsam + <code class="literal">rsync</code></p></td><td align="left"><p> - Do not use this configuration. - Does not work because the TDB files are live and data may not - have been flushed to disk. Furthermore, this will cause - domain trust breakdown. - </p></td></tr><tr><td align="center"><p>smbpasswd file</p></td><td align="center"><p>smbpasswd file</p></td><td align="left"><p> - Do not use this configuration. - Not an elegant solution due to the delays in synchronization - and also suffers - from the issue of domain trust breakdown. - </p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect1" title="Essential Background Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id337275"></a>Essential Background Information</h2></div></div></div><p> -<a class="indexterm" name="id337283"></a> -<a class="indexterm" name="id337290"></a> -<a class="indexterm" name="id337297"></a> -<a class="indexterm" name="id337303"></a> -A domain controller is a machine that is able to answer logon requests from network -workstations. Microsoft LanManager and IBM LanServer were two early products that -provided this capability. The technology has become known as the LanMan Netlogon service. -</p><p> -<a class="indexterm" name="id337316"></a> -<a class="indexterm" name="id337327"></a> -When MS Windows NT3.10 was first released, it supported a new style of Domain Control -and with it a new form of the network logon service that has extended functionality. -This service became known as the NT NetLogon Service. The nature of this service has -changed with the evolution of MS Windows NT and today provides a complex array of -services that are implemented over an intricate spectrum of technologies. -</p><div class="sect2" title="MS Windows NT4-style Domain Control"><div class="titlepage"><div><div><h3 class="title"><a name="id337339"></a>MS Windows NT4-style Domain Control</h3></div></div></div><p> -<a class="indexterm" name="id337347"></a> -<a class="indexterm" name="id337353"></a> -<a class="indexterm" name="id337360"></a> -<a class="indexterm" name="id337367"></a> -<a class="indexterm" name="id337374"></a> -<a class="indexterm" name="id337380"></a> -<a class="indexterm" name="id337389"></a> -Whenever a user logs into a Windows NT4/200x/XP Professional workstation, -the workstation connects to a domain controller (authentication server) to validate that -the username and password the user entered are valid. If the information entered -does not match account information that has been stored in the domain -control database (the SAM, or Security Account Manager database), a set of error -codes is returned to the workstation that has made the authentication request. -</p><p> -<a class="indexterm" name="id337406"></a> -<a class="indexterm" name="id337412"></a> -<a class="indexterm" name="id337419"></a> -<a class="indexterm" name="id337426"></a> -<a class="indexterm" name="id337433"></a> -When the username/password pair has been validated, the domain controller -(authentication server) will respond with full enumeration of the account information -that has been stored regarding that user in the user and machine accounts database -for that domain. This information contains a complete network access profile for -the user but excludes any information that is particular to the user's desktop profile, -or for that matter it excludes all desktop profiles for groups that the user may -belong to. It does include password time limits, password uniqueness controls, -network access time limits, account validity information, machine names from which the -user may access the network, and much more. All this information was stored in the SAM -in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0). -</p><p> -<a class="indexterm" name="id337457"></a> -<a class="indexterm" name="id337466"></a> -<a class="indexterm" name="id337472"></a> -<a class="indexterm" name="id337479"></a> -<a class="indexterm" name="id337486"></a> -The account information (user and machine) on domain controllers is stored in two files, -one containing the security information and the other the SAM. These are stored in files -by the same name in the <code class="filename">%SystemRoot%\System32\config</code> directory. -This normally translates to the path <code class="filename">C:\WinNT\System32\config</code>. These -are the files that are involved in replication of the SAM database where BDCs are present -on the network. -</p><p> -There are two situations in which it is desirable to install BDCs: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id337518"></a> - <a class="indexterm" name="id337524"></a> - On the local network that the PDC is on, if there are many - workstations and/or where the PDC is generally very busy. In this case the BDCs - will pick up network logon requests and help to add robustness to network services. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id337537"></a> - At each remote site, to reduce wide-area network traffic and to add stability to - remote network operations. The design of the network, and the strategic placement of - BDCs, together with an implementation that localizes as much of network to client - interchange as possible, will help to minimize wide-area network bandwidth needs - (and thus costs). - </p></li></ul></div><p> -<a class="indexterm" name="id337554"></a> -<a class="indexterm" name="id337560"></a> -<a class="indexterm" name="id337567"></a> -<a class="indexterm" name="id337574"></a> -<a class="indexterm" name="id337580"></a> -The interoperation of a PDC and its BDCs in a true Windows NT4 environment is worth -mentioning here. The PDC contains the master copy of the SAM. In the event that an -administrator makes a change to the user account database while physically present -on the local network that has the PDC, the change will likely be made directly to -the PDC instance of the master copy of the SAM. In the event that this update may -be performed in a branch office, the change will likely be stored in a delta file -on the local BDC. The BDC will then send a trigger to the PDC to commence the process -of SAM synchronization. The PDC will then request the delta from the BDC and apply -it to the master SAM. The PDC will then contact all the BDCs in the domain and -trigger them to obtain the update and then apply that to their own copy of the SAM. -</p><p> -<a class="indexterm" name="id337597"></a> -<a class="indexterm" name="id337606"></a> -<a class="indexterm" name="id337615"></a> -<a class="indexterm" name="id337622"></a> -Samba-3 cannot participate in true SAM replication and is therefore not able to -employ precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will -not create SAM update delta files. It will not interoperate with a PDC (NT4 or Samba) -to synchronize the SAM from delta files that are held by BDCs. -</p><p> -<a class="indexterm" name="id337634"></a> -<a class="indexterm" name="id337641"></a> -Samba-3 cannot function as a BDC to an MS Windows NT4 PDC, and Samba-3 cannot -function correctly as a PDC to an MS Windows NT4 BDC. Both Samba-3 and MS Windows -NT4 can function as a BDC to its own type of PDC. -</p><p> -<a class="indexterm" name="id337652"></a> -<a class="indexterm" name="id337659"></a> -<a class="indexterm" name="id337665"></a> -The BDC is said to hold a <span class="emphasis"><em>read-only</em></span> of the SAM from which -it is able to process network logon requests and authenticate users. The BDC can -continue to provide this service, particularly while, for example, the wide-area -network link to the PDC is down. A BDC plays a very important role in both the -maintenance of domain security as well as in network integrity. -</p><p> -<a class="indexterm" name="id337682"></a> -<a class="indexterm" name="id337689"></a> -<a class="indexterm" name="id337695"></a> -<a class="indexterm" name="id337702"></a> -In the event that the NT4 PDC should need to be taken out of service, or if it dies, one of the NT4 BDCs can -be promoted to a PDC. If this happens while the original NT4 PDC is online, it is automatically demoted to an -NT4 BDC. This is an important aspect of domain controller management. The tool that is used to effect a -promotion or a demotion is the Server Manager for Domains. It should be noted that Samba-3 BDCs cannot be -promoted in this manner because reconfiguration of Samba requires changes to the <code class="filename">smb.conf</code> file. It is easy -enough to manuall change the <code class="filename">smb.conf</code> file and then restart relevant Samba network services. -</p><div class="sect3" title="Example PDC Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id337727"></a>Example PDC Configuration</h4></div></div></div><p> -<a class="indexterm" name="id337735"></a> -<a class="indexterm" name="id337742"></a> -Beginning with Version 2.2, Samba officially supports domain logons for all current Windows clients, including -Windows NT4, 2003, and XP Professional. For Samba to be enabled as a PDC, some parameters in the -<em class="parameter"><code>[global]</code></em> section of the <code class="filename">smb.conf</code> have to be set. Refer to <a class="link" href="samba-bdc.html#minimalPDC" title="Example 5.1. Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC">the Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC -section</a> for an example of the minimum required settings. -</p><div class="example"><a name="minimalPDC"></a><p class="title"><b>Example 5.1. Minimal smb.conf for a PDC in Use with a BDC LDAP Server on PDC</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id337792"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id337803"></a><em class="parameter"><code>passdb backend = ldapsam://localhost:389</code></em></td></tr><tr><td><a class="indexterm" name="id337815"></a><em class="parameter"><code>domain master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id337826"></a><em class="parameter"><code>domain logons = yes</code></em></td></tr><tr><td><a class="indexterm" name="id337838"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id337849"></a><em class="parameter"><code>ldap user suffix = ou=Users</code></em></td></tr><tr><td><a class="indexterm" name="id337861"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id337873"></a><em class="parameter"><code>ldap machine suffix = ou=Computers</code></em></td></tr><tr><td><a class="indexterm" name="id337884"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id337896"></a><em class="parameter"><code>ldap admin dn = cn=sambadmin,dc=quenya,dc=org</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id337911"></a> -<a class="indexterm" name="id337918"></a> -Several other things like a <em class="parameter"><code>[homes]</code></em> and a <em class="parameter"><code>[netlogon]</code></em> share -also need to be set along with settings for the profile path, the user's home drive, and so on. This is not -covered in this chapter; for more information please refer to <a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>. -Refer to <a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">the Domain Control chapter</a> for specific recommendations for PDC -configuration. Alternately, fully documented working example network configurations using OpenLDAP and Samba -as available in the <a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample" target="_top">book</a> <span class="quote">“<span class="quote">Samba-3 -by Example</span>”</span> that may be obtained from local and on-line book stores. -</p></div></div><div class="sect2" title="LDAP Configuration Notes"><div class="titlepage"><div><div><h3 class="title"><a name="id337967"></a>LDAP Configuration Notes</h3></div></div></div><p> -<a class="indexterm" name="id337974"></a> -<a class="indexterm" name="id337984"></a> -<a class="indexterm" name="id337993"></a> -When configuring a master and a slave LDAP server, it is advisable to use the master LDAP server -for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers; however, -many administrators will want to do so in order to provide redundant services. Of course, one or more BDCs -may use any slave LDAP server. Then again, it is entirely possible to use a single LDAP server for the -entire network. -</p><p> -<a class="indexterm" name="id338006"></a> -<a class="indexterm" name="id338016"></a> -<a class="indexterm" name="id338025"></a> -<a class="indexterm" name="id338031"></a> -<a class="indexterm" name="id338038"></a> -When configuring a master LDAP server that will have slave LDAP servers, do not forget to configure this in -the <code class="filename">/etc/openldap/slapd.conf</code> file. It must be noted that the DN of a server certificate -must use the CN attribute to name the server, and the CN must carry the servers' fully qualified domain name. -Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details -on server certificate names are in RFC2830. -</p><p> -<a class="indexterm" name="id338058"></a> -<a class="indexterm" name="id338065"></a> -<a class="indexterm" name="id338071"></a> -<a class="indexterm" name="id338078"></a> -<a class="indexterm" name="id338088"></a> -<a class="indexterm" name="id338094"></a> -<a class="indexterm" name="id338101"></a> -It does not really fit within the scope of this document, but a working LDAP installation is basic to -LDAP-enabled Samba operation. When using an OpenLDAP server with Transport Layer Security (TLS), the machine -name in <code class="filename">/etc/ssl/certs/slapd.pem</code> must be the same as in -<code class="filename">/etc/openldap/sldap.conf</code>. The Red Hat Linux startup script creates the -<code class="filename">slapd.pem</code> file with hostname <span class="quote">“<span class="quote">localhost.localdomain.</span>”</span> It is impossible to -access this LDAP server from a slave LDAP server (i.e., a Samba BDC) unless the certificate is re-created with -a correct hostname. -</p><p> -<a class="indexterm" name="id338137"></a> -<a class="indexterm" name="id338143"></a> -<a class="indexterm" name="id338150"></a> -<a class="indexterm" name="id338157"></a> -<a class="indexterm" name="id338164"></a> -<a class="indexterm" name="id338171"></a> -Do not install a Samba PDC so that is uses an LDAP slave server. Joining client machines to the domain -will fail in this configuration because the change to the machine account in the LDAP tree must take place on -the master LDAP server. This is not replicated rapidly enough to the slave server that the PDC queries. It -therefore gives an error message on the client machine about not being able to set up account credentials. The -machine account is created on the LDAP server, but the password fields will be empty. Unfortunately, some -sites are unable to avoid such configurations, and these sites should review the <a class="link" href="smb.conf.5.html#LDAPREPLICATIONSLEEP" target="_top">ldap replication sleep</a> parameter, intended to slow down Samba sufficiently for the replication to catch up. -This is a kludge, and one that the administrator must manually duplicate in any scripts (such as the -<a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a>) that they use. -</p><p> -Possible PDC/BDC plus LDAP configurations include: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - PDC+BDC -> One Central LDAP Server. - </p></li><li class="listitem"><p> - PDC -> LDAP master server, BDC -> LDAP slave server. - </p></li><li class="listitem"><p> - PDC -> LDAP master, with secondary slave LDAP server. - </p><p> - BDC -> LDAP master, with secondary slave LDAP server. - </p></li><li class="listitem"><p> - PDC -> LDAP master, with secondary slave LDAP server. - </p><p> - BDC -> LDAP slave server, with secondary master LDAP server. - </p></li></ul></div><p> -In order to have a fallback configuration (secondary) LDAP server, you would specify -the secondary LDAP server in the <code class="filename">smb.conf</code> file as shown in <a class="link" href="samba-bdc.html#mulitldapcfg" title="Example 5.2. Multiple LDAP Servers in smb.conf">the Multiple LDAP -Servers in <code class="filename">smb.conf</code> example</a>. -</p><div class="example"><a name="mulitldapcfg"></a><p class="title"><b>Example 5.2. Multiple LDAP Servers in <code class="filename">smb.conf</code></b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id338287"></a><em class="parameter"><code>passdb backend = ldapsam:"ldap://master.quenya.org ldap://slave.quenya.org"</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" title="Active Directory Domain Control"><div class="titlepage"><div><div><h3 class="title"><a name="id338300"></a>Active Directory Domain Control</h3></div></div></div><p> -<a class="indexterm" name="id338308"></a> -<a class="indexterm" name="id338315"></a> -<a class="indexterm" name="id338321"></a> -<a class="indexterm" name="id338328"></a> -<a class="indexterm" name="id338335"></a> -<a class="indexterm" name="id338342"></a> -As of the release of MS Windows 2000 and Active Directory, this information is now stored -in a directory that can be replicated and for which partial or full administrative control -can be delegated. Samba-3 is not able to be a domain controller within an Active Directory -tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot -act as a BDC to an Active Directory domain controller. -</p></div><div class="sect2" title="What Qualifies a Domain Controller on the Network?"><div class="titlepage"><div><div><h3 class="title"><a name="id338354"></a>What Qualifies a Domain Controller on the Network?</h3></div></div></div><p> -<a class="indexterm" name="id338362"></a> -<a class="indexterm" name="id338369"></a> -<a class="indexterm" name="id338375"></a> -<a class="indexterm" name="id338382"></a> -Every machine that is a domain controller for the domain MIDEARTH has to register the NetBIOS -group name MIDEARTH<1C> with the WINS server and/or by broadcast on the local network. -The PDC also registers the unique NetBIOS name MIDEARTH<1B> with the WINS server. -The name type <1B> name is normally reserved for the Domain Master Browser (DMB), a role -that has nothing to do with anything related to authentication, but the Microsoft domain -implementation requires the DMB to be on the same machine as the PDC. -</p><p> -<a class="indexterm" name="id338398"></a> -<a class="indexterm" name="id338405"></a> -<a class="indexterm" name="id338412"></a> -Where a WINS server is not used, broadcast name registrations alone must suffice. Refer to -<a class="link" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a>,<a class="link" href="NetworkBrowsing.html#netdiscuss" title="Discussion">Discussion</a> -for more information regarding TCP/IP network protocols and how SMB/CIFS names are handled. -</p></div><div class="sect2" title="How Does a Workstation find its Domain Controller?"><div class="titlepage"><div><div><h3 class="title"><a name="id338437"></a>How Does a Workstation find its Domain Controller?</h3></div></div></div><p> -<a class="indexterm" name="id338445"></a> -<a class="indexterm" name="id338452"></a> -There are two different mechanisms to locate a domain controller: one method is used when -NetBIOS over TCP/IP is enabled and the other when it has been disabled in the TCP/IP -network configuration. -</p><p> -<a class="indexterm" name="id338463"></a> -<a class="indexterm" name="id338470"></a> -Where NetBIOS over TCP/IP is disabled, all name resolution involves the use of DNS, broadcast -messaging over UDP, as well as Active Directory communication technologies. In this type of -environment all machines require appropriate DNS entries. More information may be found in -<a class="link" href="NetworkBrowsing.html#adsdnstech" title="DNS and Active Directory">DNS and Active Directory</a>. -</p><div class="sect3" title="NetBIOS Over TCP/IP Enabled"><div class="titlepage"><div><div><h4 class="title"><a name="id338488"></a>NetBIOS Over TCP/IP Enabled</h4></div></div></div><p> -<a class="indexterm" name="id338496"></a> -<a class="indexterm" name="id338503"></a> -<a class="indexterm" name="id338509"></a> -<a class="indexterm" name="id338516"></a> -An MS Windows NT4/200x/XP Professional workstation in the domain MIDEARTH that wants a -local user to be authenticated has to find the domain controller for MIDEARTH. It does this -by doing a NetBIOS name query for the group name MIDEARTH<1C>. It assumes that each -of the machines it gets back from the queries is a domain controller and can answer logon -requests. To not open security holes, both the workstation and the selected domain controller -authenticate each other. After that the workstation sends the user's credentials (name and -password) to the local domain controller for validation. -</p></div><div class="sect3" title="NetBIOS Over TCP/IP Disabled"><div class="titlepage"><div><div><h4 class="title"><a name="id338539"></a>NetBIOS Over TCP/IP Disabled</h4></div></div></div><p> -<a class="indexterm" name="id338547"></a> -<a class="indexterm" name="id338554"></a> -<a class="indexterm" name="id338561"></a> -<a class="indexterm" name="id338567"></a> -An MS Windows NT4/200x/XP Professional workstation in the realm <code class="constant">quenya.org</code> -that has a need to affect user logon authentication will locate the domain controller by -re-querying DNS servers for the <code class="constant">_ldap._tcp.pdc._msdcs.quenya.org</code> record. -More information regarding this subject may be found in <a class="link" href="NetworkBrowsing.html#adsdnstech" title="DNS and Active Directory">DNS and Active Directory</a>. -</p></div></div></div><div class="sect1" title="Backup Domain Controller Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338595"></a>Backup Domain Controller Configuration</h2></div></div></div><p> -<a class="indexterm" name="id338603"></a> -The creation of a BDC requires some steps to prepare the Samba server before -<span class="application">smbd</span> is executed for the first time. These steps are as follows: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id338623"></a> - <a class="indexterm" name="id338629"></a> - <a class="indexterm" name="id338636"></a> - <a class="indexterm" name="id338642"></a> - <a class="indexterm" name="id338649"></a> - <a class="indexterm" name="id338656"></a> - The domain SID has to be the same on the PDC and the BDC. In Samba versions pre-2.2.5, the domain SID was - stored in the file <code class="filename">private/MACHINE.SID</code>. For all versions of Samba released since 2.2.5 - the domain SID is stored in the file <code class="filename">private/secrets.tdb</code>. This file is unique to each - server and cannot be copied from a PDC to a BDC; the BDC will generate a new SID at startup. It will overwrite - the PDC domain SID with the newly created BDC SID. There is a procedure that will allow the BDC to acquire the - domain SID. This is described here. - </p><p> - <a class="indexterm" name="id338682"></a> - <a class="indexterm" name="id338689"></a> - <a class="indexterm" name="id338695"></a> - <a class="indexterm" name="id338702"></a> - <a class="indexterm" name="id338709"></a> - To retrieve the domain SID from the PDC or an existing BDC and store it in the - <code class="filename">secrets.tdb</code>, execute: - </p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>net rpc getsid</code></strong> -</pre></li><li class="listitem"><p> - <a class="indexterm" name="id338748"></a> - <a class="indexterm" name="id338755"></a> - <a class="indexterm" name="id338761"></a> - Specification of the <a class="link" href="smb.conf.5.html#LDAPADMINDN" target="_top">ldap admin dn</a> is obligatory. - This also requires the LDAP administration password to be set in the <code class="filename">secrets.tdb</code> - using the <code class="literal">smbpasswd -w <em class="replaceable"><code>mysecret</code></em></code>. - </p></li><li class="listitem"><p> - The <a class="link" href="smb.conf.5.html#LDAPSUFFIX" target="_top">ldap suffix</a> parameter and the <a class="link" href="smb.conf.5.html#LDAPIDMAPSUFFIX" target="_top">ldap idmap suffix</a> - parameter must be specified in the <code class="filename">smb.conf</code> file. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id338833"></a> - <a class="indexterm" name="id338842"></a> - <a class="indexterm" name="id338849"></a> - <a class="indexterm" name="id338856"></a> - The UNIX user database has to be synchronized from the PDC to the - BDC. This means that both the <code class="filename">/etc/passwd</code> and - <code class="filename">/etc/group</code> have to be replicated from the PDC - to the BDC. This can be done manually whenever changes are made. - Alternately, the PDC is set up as an NIS master server and the BDC as an NIS slave - server. To set up the BDC as a mere NIS client would not be enough, - as the BDC would not be able to access its user database in case of - a PDC failure. NIS is by no means the only method to synchronize - passwords. An LDAP solution would also work. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id338884"></a> - <a class="indexterm" name="id338891"></a> - <a class="indexterm" name="id338897"></a> - <a class="indexterm" name="id338904"></a> - <a class="indexterm" name="id338910"></a> - <a class="indexterm" name="id338917"></a> - <a class="indexterm" name="id338924"></a> - <a class="indexterm" name="id338931"></a> - The Samba password database must be replicated from the PDC to the BDC. - Although it is possible to synchronize the <code class="filename">smbpasswd</code> - file with <code class="literal">rsync</code> and <code class="literal">ssh</code>, this method - is broken and flawed, and is therefore not recommended. A better solution - is to set up slave LDAP servers for each BDC and a master LDAP server for the PDC. - The use of rsync is inherently flawed by the fact that the data will be replicated - at timed intervals. There is no guarantee that the BDC will be operating at all - times with correct and current machine and user account information. This means that - this method runs the risk of users being inconvenienced by discontinuity of access - to network services due to inconsistent security data. It must be born in mind that - Windows workstations update (change) the machine trust account password at regular - intervals administrators are not normally aware that this is happening - or when it takes place. - </p><p> - <a class="indexterm" name="id338968"></a> - <a class="indexterm" name="id338975"></a> - <a class="indexterm" name="id338982"></a> - <a class="indexterm" name="id338989"></a> - The use of LDAP for both the POSIX (UNIX user and group) accounts and for the - SambaSAMAccount data automatically ensures that all account change information - will be written to the shared directory. This eliminates the need for any special - action to synchronize account information because LDAP will meet that requirement. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id339003"></a> - <a class="indexterm" name="id339010"></a> - <a class="indexterm" name="id339016"></a> - <a class="indexterm" name="id339023"></a> - <a class="indexterm" name="id339029"></a> - <a class="indexterm" name="id339036"></a> - The netlogon share has to be replicated from the PDC to the BDC. This can be done manually whenever login - scripts are changed, or it can be done automatically using a <code class="literal">cron</code> job that will replicate - the directory structure in this share using a tool like <code class="literal">rsync</code>. The use of - <code class="literal">rsync</code> for replication of the netlogon data is not critical to network security and is one - that can be manually managed given that the administrator will make all changes to the netlogon share as part - of a conscious move. - </p></li></ul></div><div class="sect2" title="Example Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="id339066"></a>Example Configuration</h3></div></div></div><p> -Finally, the BDC has to be capable of being found by the workstations. This can be done by configuring the -Samba <code class="filename">smb.conf</code> file <em class="parameter"><code>[global]</code></em> section as shown in <a class="link" href="samba-bdc.html#minim-bdc" title="Example 5.3. Minimal Setup for Being a BDC">Minimal -Setup for Being a BDC</a>. -</p><div class="example"><a name="minim-bdc"></a><p class="title"><b>Example 5.3. Minimal Setup for Being a BDC</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id339110"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id339121"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://slave-ldap.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id339133"></a><em class="parameter"><code>domain master = no</code></em></td></tr><tr><td><a class="indexterm" name="id339144"></a><em class="parameter"><code>domain logons = yes</code></em></td></tr><tr><td><a class="indexterm" name="id339156"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id339167"></a><em class="parameter"><code>ldap user suffix = ou=Users</code></em></td></tr><tr><td><a class="indexterm" name="id339179"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id339191"></a><em class="parameter"><code>ldap machine suffix = ou=Computers</code></em></td></tr><tr><td><a class="indexterm" name="id339202"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id339214"></a><em class="parameter"><code>ldap admin dn = cn=sambadmin,dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id339226"></a><em class="parameter"><code>idmap backend = ldap:ldap://master-ldap.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id339237"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id339249"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table></div></div><br class="example-break"><p> -Fully documented working example network configurations using OpenLDAP and Samba -as available in the <a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample" target="_top">book</a> <span class="quote">“<span class="quote">Samba-3 -by Example</span>”</span> that may be obtained from local and on-line book stores. -</p><p> -<a class="indexterm" name="id339278"></a> -<a class="indexterm" name="id339284"></a> -<a class="indexterm" name="id339291"></a> -<a class="indexterm" name="id339298"></a> -This configuration causes the BDC to register only the name MIDEARTH<1C> with the WINS server. This is -not a problem, as the name MIDEARTH<1C> is a NetBIOS group name that is meant to be registered by more -than one machine. The parameter <a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = no</a> forces the BDC not to -register MIDEARTH<1B>, which is a unique NetBIOS name that is reserved for the PDC. -</p><p> -<a class="indexterm" name="id339324"></a> -<a class="indexterm" name="id339330"></a> -<a class="indexterm" name="id339337"></a> -<a class="indexterm" name="id339344"></a> -<a class="indexterm" name="id339351"></a> -<a class="indexterm" name="id339358"></a> -<a class="indexterm" name="id339365"></a> -<a class="indexterm" name="id339372"></a> -<a class="indexterm" name="id339378"></a> -The <em class="parameter"><code>idmap backend</code></em> will redirect the <code class="literal">winbindd</code> utility to use the LDAP -database to store all mappings for Windows SIDs to UIDs and GIDs for UNIX accounts in a repository that is -shared. The BDC will however depend on local resolution of UIDs and GIDs via NSS and the -<code class="literal">nss_ldap</code> utility. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id339409"></a> -<a class="indexterm" name="id339418"></a> -<a class="indexterm" name="id339425"></a> -<a class="indexterm" name="id339432"></a> -Samba-3 has introduced a new ID mapping facility. One of the features of this facility is that it -allows greater flexibility in how user and group IDs are handled in respect to NT domain user and group -SIDs. One of the new facilities provides for explicitly ensuring that UNIX/Linux UID and GID values -will be consistent on the PDC, all BDCs, and all domain member servers. The parameter that controls this -is called <em class="parameter"><code>idmap backend</code></em>. Please refer to the man page for <code class="filename">smb.conf</code> for more information -regarding its behavior. -</p></div><p> -<a class="indexterm" name="id339461"></a> -<a class="indexterm" name="id339468"></a> -<a class="indexterm" name="id339475"></a> -The use of the <a class="link" href="smb.conf.5.html#IDMAPBACKEND" target="_top">idmap backend = ldap:ldap://master.quenya.org</a> -option on a BDC only makes sense where ldapsam is used on a PDC. The purpose of an LDAP-based idmap backend is -also to allow a domain member (without its own passdb backend) to use winbindd to resolve Windows network users -and groups to common UID/GIDs. In other words, this option is generally intended for use on BDCs and on domain -member servers. -</p></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id339500"></a>Common Errors</h2></div></div></div><p> -<a class="indexterm" name="id339508"></a> -Domain control was a new area for Samba, but there are now many examples that we may refer to. -Updated information will be published as they become available and may be found in later Samba releases or -from the Samba Web <a class="ulink" href="http://samba.org" target="_top">site</a>; refer in particular to the -<code class="filename">WHATSNEW.txt</code> in the Samba release tarball. The book, <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span> -documents well tested and proven configuration examples. You can obtain a copy of this -<a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">book</a> for the Samba web site. -</p><div class="sect2" title="Machine Accounts Keep Expiring"><div class="titlepage"><div><div><h3 class="title"><a name="id339540"></a>Machine Accounts Keep Expiring</h3></div></div></div><p> -<a class="indexterm" name="id339548"></a> -<a class="indexterm" name="id339555"></a> -<a class="indexterm" name="id339562"></a> -<a class="indexterm" name="id339568"></a> -This problem will occur when the passdb (SAM) files are copied from a central -server but the local BDC is acting as a PDC. This results in the application of -Local Machine Trust Account password updates to the local SAM. Such updates -are not copied back to the central server. The newer machine account password is then -overwritten when the SAM is recopied from the PDC. The result is that the domain member machine -on startup will find that its passwords do not match the one now in the database, and -since the startup security check will now fail, this machine will not allow logon attempts -to proceed and the account expiry error will be reported. -</p><p> -The solution is to use a more robust passdb backend, such as the ldapsam backend, setting up -a slave LDAP server for each BDC and a master LDAP server for the PDC. -</p></div><div class="sect2" title="Can Samba Be a Backup Domain Controller to an NT4 PDC?"><div class="titlepage"><div><div><h3 class="title"><a name="id339588"></a>Can Samba Be a Backup Domain Controller to an NT4 PDC?</h3></div></div></div><p> -<a class="indexterm" name="id339596"></a> -<a class="indexterm" name="id339605"></a> -No. The native NT4 SAM replication protocols have not yet been fully implemented. -</p><p> -<a class="indexterm" name="id339614"></a> -<a class="indexterm" name="id339621"></a> -<a class="indexterm" name="id339627"></a> -Can I get the benefits of a BDC with Samba? Yes, but only to a Samba PDC.The -main reason for implementing a BDC is availability. If the PDC is a Samba -machine, a second Samba machine can be set up to service logon requests whenever -the PDC is down. -</p></div><div class="sect2" title="How Do I Replicate the smbpasswd File?"><div class="titlepage"><div><div><h3 class="title"><a name="id339639"></a>How Do I Replicate the smbpasswd File?</h3></div></div></div><p> -<a class="indexterm" name="id339646"></a> -<a class="indexterm" name="id339655"></a> -<a class="indexterm" name="id339662"></a> -Replication of the smbpasswd file is sensitive. It has to be done whenever changes -to the SAM are made. Every user's password change is done in the smbpasswd file and -has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary. -</p><p> -<a class="indexterm" name="id339674"></a> -<a class="indexterm" name="id339681"></a> -<a class="indexterm" name="id339688"></a> -As the smbpasswd file contains plaintext password equivalents, it must not be -sent unencrypted over the wire. The best way to set up smbpasswd replication from -the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport. -<code class="literal">ssh</code> itself can be set up to accept <span class="emphasis"><em>only</em></span> -<code class="literal">rsync</code> transfer without requiring the user to type a password. -</p><p> -<a class="indexterm" name="id339715"></a> -<a class="indexterm" name="id339722"></a> -As said a few times before, use of this method is broken and flawed. Machine trust -accounts will go out of sync, resulting in a broken domain. This method is -<span class="emphasis"><em>not</em></span> recommended. Try using LDAP instead. -</p></div><div class="sect2" title="Can I Do This All with LDAP?"><div class="titlepage"><div><div><h3 class="title"><a name="id339736"></a>Can I Do This All with LDAP?</h3></div></div></div><p> -<a class="indexterm" name="id339744"></a> -<a class="indexterm" name="id339751"></a> -The simple answer is yes. Samba's pdb_ldap code supports binding to a replica -LDAP server and will also follow referrals and rebind to the master if it ever -needs to make a modification to the database. (Normally BDCs are read-only, so -this will not occur often). -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Domain Membership</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/samba-pdc.html b/docs/htmldocs/Samba3-HOWTO/samba-pdc.html deleted file mode 100644 index b325e490f9..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/samba-pdc.html +++ /dev/null @@ -1,890 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Domain Control</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="ServerType.html" title="Chapter 3. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 4. Domain Control"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 4. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:dbannon@samba.org">dbannon@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="samba-pdc.html#id332816">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id333870">Basics of Domain Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id333888">Domain Controller Types</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id334343">Preparing for Domain Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335523">Samba ADS Domain Control</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335566">Domain and Network Logon Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id335583">Domain Network Logon Service</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id336354">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id336359"><span class="quote">“<span class="quote">$</span>”</span> Cannot Be Included in Machine Name</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336454">Joining Domain Fails Because of Existing Machine Account</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336513">The System Cannot Log You On (C000019B)</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336578">The Machine Trust Account Is Not Accessible</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336685">Account Disabled</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336710">Domain Controller Unavailable</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336727">Cannot Log onto Domain Member Workstation After Joining Domain</a></span></dt></dl></dd></dl></div><p> -There are many who approach MS Windows networking with incredible misconceptions. -That's okay, because it gives the rest of us plenty of opportunity to be of assistance. -Those who really want help are well advised to become familiar with information -that is already available. -</p><p> -<a class="indexterm" name="id332704"></a> -You are advised not to tackle this section without having first understood -and mastered some basics. MS Windows networking is not particularly forgiving of -misconfiguration. Users of MS Windows networking are likely to complain -of persistent niggles that may be caused by a broken network configuration. -To a great many people, however, MS Windows networking starts with a domain controller -that in some magical way is expected to solve all network operational ills. -</p><p> -<a class="link" href="samba-pdc.html#domain-example" title="Figure 4.1. An Example Domain.">The Example Domain Illustration</a> shows a typical MS Windows domain security -network environment. Workstations A, B, and C are representative of many physical MS Windows -network clients. -</p><div class="figure"><a name="domain-example"></a><p class="title"><b>Figure 4.1. An Example Domain.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/domain.png" width="216" alt="An Example Domain."></div></div></div><br class="figure-break"><p> -From the Samba mailing list we can readily identify many common networking issues. -If you are not clear on the following subjects, then it will do much good to read the -sections of this HOWTO that deal with it. These are the most common causes of MS Windows -networking problems: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Basic TCP/IP configuration.</p></li><li class="listitem"><p>NetBIOS name resolution.</p></li><li class="listitem"><p>Authentication configuration.</p></li><li class="listitem"><p>User and group configuration.</p></li><li class="listitem"><p>Basic file and directory permission control in UNIX/Linux.</p></li><li class="listitem"><p>Understanding how MS Windows clients interoperate in a network environment.</p></li></ul></div><p> -Do not be put off; on the surface of it MS Windows networking seems so simple that anyone -can do it. In fact, it is not a good idea to set up an MS Windows network with -inadequate training and preparation. But let's get our first indelible principle out of the -way: <span class="emphasis"><em>It is perfectly okay to make mistakes!</em></span> In the right place and at -the right time, mistakes are the essence of learning. It is very much not okay to make -mistakes that cause loss of productivity and impose an avoidable financial burden on an -organization. -</p><p> -Where is the right place to make mistakes? Only out of harms way. If you are going to -make mistakes, then please do it on a test network, away from users, and in such a way as -to not inflict pain on others. Do your learning on a test network. -</p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id332816"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id332824"></a> -<span class="emphasis"><em>What is the key benefit of Microsoft Domain Security?</em></span> -</p><p> -<a class="indexterm" name="id332836"></a> -<a class="indexterm" name="id332845"></a> -<a class="indexterm" name="id332851"></a> -<a class="indexterm" name="id332857"></a> -In a word, <span class="emphasis"><em>single sign-on</em></span>, or SSO for short. To many, this is the Holy Grail of MS -Windows NT and beyond networking. SSO allows users in a well-designed network to log onto any workstation that -is a member of the domain that contains their user account (or in a domain that has an appropriate trust -relationship with the domain they are visiting) and they will be able to log onto the network and access -resources (shares, files, and printers) as if they are sitting at their home (personal) workstation. This is a -feature of the domain security protocols. -</p><p> -<a class="indexterm" name="id332879"></a> -<a class="indexterm" name="id332885"></a> -<a class="indexterm" name="id332891"></a> -<a class="indexterm" name="id332900"></a> -<a class="indexterm" name="id332908"></a> -The benefits of domain security are available to those sites that deploy a Samba PDC. A domain provides a -unique network security identifier (SID). Domain user and group security identifiers are comprised of the -network SID plus a relative identifier (RID) that is unique to the account. User and group SIDs (the network -SID plus the RID) can be used to create access control lists (ACLs) attached to network resources to provide -organizational access control. UNIX systems recognize only local security identifiers. -</p><p> -<a class="indexterm" name="id332922"></a> -A SID represents a security context. For example, every Windows machine has local accounts within the security -context of the local machine which has a unique SID. Every domain (NT4, ADS, Samba) contains accounts that -exist within the domain security context which is defined by the domain SID. -</p><p> -<a class="indexterm" name="id332934"></a> -<a class="indexterm" name="id332940"></a> -A domain member server will have a SID that differs from the domain SID. The domain member server can be -configured to regard all domain users as local users. It can also be configured to recognize domain users and -groups as non-local. SIDs are persistent. A typical domain of user SID looks like this: -</p><pre class="screen"> -S-1-5-21-726309263-4128913605-1168186429 -</pre><p> -Every account (user, group, machine, trust, etc.) is assigned a RID. This is done automatically as an account -is created. Samba produces the RID algorithmically. The UNIX operating system uses a separate name space for -user and group identifiers (the UID and GID) but Windows allocates the RID from a single name space. A Windows -user and a Windows group can not have the same RID. Just as the UNIX user <code class="literal">root</code> has the -UID=0, the Windows Administrator has the well-known RID=500. The RID is catenated to the Windows domain SID, -so Administrator account for a domain that has the above SID will have the user SID -</p><pre class="screen"> -S-1-5-21-726309263-4128913605-1168186429-500 -</pre><p> -The result is that every account in the Windows networking world has a globally unique security identifier. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id332976"></a> -<a class="indexterm" name="id332984"></a> -<a class="indexterm" name="id332990"></a> -Network clients of an MS Windows domain security environment must be domain members to be able to gain access -to the advanced features provided. Domain membership involves more than just setting the workgroup name to the -domain name. It requires the creation of a domain trust account for the workstation (called a machine -account). Refer to <a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a> for more information. -</p></div><p> -The following functionalities are new to the Samba-3 release: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id333017"></a> - Samba-3 supports the use of a choice of backends that may be used in which user, group and machine - accounts may be stored. Multiple passwd backends can be used in combination, either as additive backend - data sets, or as fail-over data sets. - </p><p> - <a class="indexterm" name="id333031"></a> - <a class="indexterm" name="id333037"></a> - <a class="indexterm" name="id333043"></a> - <a class="indexterm" name="id333050"></a> - <a class="indexterm" name="id333056"></a> - An LDAP passdb backend confers the benefit that the account backend can be distributed and replicated, - which is of great value because it confers scalability and provides a high degree of reliability. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id333068"></a> - <a class="indexterm" name="id333079"></a> - <a class="indexterm" name="id333087"></a> - Windows NT4 domain trusts. Samba-3 supports workstation and server (machine) trust accounts. It also - supports Windows NT4 style interdomain trust accounts, which further assists in network scalability - and interoperability. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id333100"></a> - <a class="indexterm" name="id333106"></a> - <a class="indexterm" name="id333112"></a> - <a class="indexterm" name="id333119"></a> - <a class="indexterm" name="id333127"></a> - <a class="indexterm" name="id333135"></a> - Operation without NetBIOS over TCP/IP, rather using the raw SMB over TCP/IP. Note, this is feasible - only when operating as a Microsoft active directory domain member server. When acting as a Samba domain - controller the use of NetBIOS is necessary to provide network browsing support. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id333151"></a> - <a class="indexterm" name="id333157"></a> - <a class="indexterm" name="id333163"></a> - Samba-3 provides NetBIOS name services (WINS), NetBIOS over TCP/IP (TCP port 139) session services, SMB over - TCP/IP (TCP port 445) session services, and Microsoft compatible ONC DCE RPC services (TCP port 135) - services. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id333176"></a> - Management of users and groups via the User Manager for Domains. This can be done on any MS Windows client - using the <code class="filename">Nexus.exe</code> toolkit for Windows 9x/Me, or using the SRVTOOLS.EXE package for MS - Windows NT4/200x/XP platforms. These packages are available from Microsoft's Web site. - </p></li><li class="listitem"><p> - Implements full Unicode support. This simplifies cross-locale internationalization support. It also opens up - the use of protocols that Samba-2.2.x had but could not use due to the need to fully support Unicode. - </p></li></ul></div><p> -The following functionalities are not provided by Samba-3: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id333207"></a> - <a class="indexterm" name="id333214"></a> - SAM replication with Windows NT4 domain controllers (i.e., a Samba PDC and a Windows NT BDC, or vice versa). - This means Samba cannot operate as a BDC when the PDC is Microsoft-based Windows NT PDC. Samba-3 can not - participate in replication of account data to Windows PDCs and BDCs. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id333227"></a> - <a class="indexterm" name="id333233"></a> - Acting as a Windows 2000 active directory domain controller (i.e., Kerberos and Active Directory). In point of - fact, Samba-3 does have some Active Directory domain control ability that is at this time purely experimental. - Active directory domain control is one of the features that is being developed in Samba-4, the next - generation Samba release. At this time there are no plans to enable active directory domain control - support during the Samba-3 series life-cycle. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id333249"></a> - <a class="indexterm" name="id333255"></a> - <a class="indexterm" name="id333262"></a> - The Windows 200x/XP Microsoft Management Console (MMC) cannot be used to manage a Samba-3 server. For this you - can use only the MS Windows NT4 Domain Server Manager and the MS Windows NT4 Domain User Manager. Both are - part of the SVRTOOLS.EXE package mentioned later. - </p></li></ul></div><p> -<a class="indexterm" name="id333278"></a> -<a class="indexterm" name="id333284"></a> -Windows 9x/Me/XP Home clients are not true members of a domain for reasons outlined in this chapter. The -protocol for support of Windows 9x/Me-style network (domain) logons is completely different from NT4/Windows -200x-type domain logons and has been officially supported for some time. These clients use the old LanMan -network logon facilities that are supported in Samba since approximately the Samba-1.9.15 series. -</p><p> -<a class="indexterm" name="id333298"></a> -Samba-3 implements group mapping between Windows NT groups and UNIX groups (this is really quite complicated -to explain in a short space). This is discussed more fully in <a class="link" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX">Group Mapping: MS -Windows and UNIX</a>. -</p><p> -<a class="indexterm" name="id333319"></a> -<a class="indexterm" name="id333326"></a> -<a class="indexterm" name="id333335"></a> -Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store user and Machine Trust -Account information in a suitable backend data-store. Refer to <a class="link" href="domain-member.html#machine-trust-accounts" title="MS Windows Workstation/Server Machine Trust Accounts">MS -Windows Workstation/Server Machine Trust Accounts</a>. With Samba-3 there can be multiple backends for -this. A complete discussion of account database backends can be found in <a class="link" href="passdb.html" title="Chapter 11. Account Information Databases">Account -Information Databases</a>. -</p></div><div class="sect1" title="Single Sign-On and Domain Security"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333361"></a>Single Sign-On and Domain Security</h2></div></div></div><p> -<a class="indexterm" name="id333369"></a> -<a class="indexterm" name="id333378"></a> -<a class="indexterm" name="id333384"></a> -<a class="indexterm" name="id333391"></a> -<a class="indexterm" name="id333398"></a> -<a class="indexterm" name="id333405"></a> -<a class="indexterm" name="id333411"></a> -When network administrators are asked to describe the benefits of Windows NT4 and active directory networking -the most often mentioned feature is that of single sign-on (SSO). Many companies have implemented SSO -solutions. The mode of implementation of a single sign-on solution is an important factor in the practice of -networking in general, and is critical in respect of Windows networking. A company may have a wide variety of -information systems, each of which requires a form of user authentication and validation, thus it is not -uncommon that users may need to remember more than ten login IDs and passwords. This problem is compounded -when the password for each system must be changed at regular intervals, and particularly so where password -uniqueness and history limits are applied. -</p><p> -<a class="indexterm" name="id333428"></a> -There is a broadly held perception that SSO is the answer to the problem of users having to deal with too many -information system access credentials (username/password pairs). Many elaborate schemes have been devised to -make it possible to deliver a user-friendly SSO solution. The trouble is that if this implementation is not -done correctly, the site may end up paying dearly by way of complexity and management overheads. Simply put, -many SSO solutions are an administrative nightmare. -</p><p> -<a class="indexterm" name="id333442"></a> -<a class="indexterm" name="id333449"></a> -<a class="indexterm" name="id333456"></a> -SSO implementations utilize centralization of all user account information. Depending on environmental -complexity and the age of the systems over which a SSO solution is implemented, it may not be possible to -change the solution architecture so as to accommodate a new identity management and user authentication system. -Many SSO solutions involving legacy systems consist of a new super-structure that handles authentication on -behalf of the user. The software that gets layered over the old system may simply implement a proxy -authentication system. This means that the addition of SSO increases over-all information systems complexity. -Ideally, the implementation of SSO should reduce complexity and reduce administative overheads. -</p><p> -<a class="indexterm" name="id333472"></a> -<a class="indexterm" name="id333479"></a> -<a class="indexterm" name="id333488"></a> -<a class="indexterm" name="id333497"></a> -<a class="indexterm" name="id333504"></a> -The initial goal of many network administrators is often to create and use a centralized identity management -system. It is often assumed that such a centralized system will use a single authentication infrastructure -that can be used by all information systems. The Microsoft Windows NT4 security domain architecture and the -Micrsoft active directory service are often put forward as the ideal foundation for such a system. It is -conceptually simple to install an external authentication agent on each of the disparate infromation systems -that can then use the Microsoft (NT4 domain or ads service) for user authentication and access control. The -wonderful dream of a single centralized authentication service is commonly broken when realities are realized. -The problem with legacy systems is often the inability to externalize the authentication and access control -system it uses because its implementation will be excessively invasive from a re-engineering perspective, or -because application software has built-in dependencies on particular elements of the way user authentication -and access control were designed and built. -</p><p> -<a class="indexterm" name="id333524"></a> -<a class="indexterm" name="id333531"></a> -<a class="indexterm" name="id333537"></a> -<a class="indexterm" name="id333544"></a> -<a class="indexterm" name="id333551"></a> -<a class="indexterm" name="id333558"></a> -<a class="indexterm" name="id333565"></a> -<a class="indexterm" name="id333572"></a> -Over the past decade an industry has been developed around the various methods that have been built to get -around the key limitations of legacy information technology systems. One approach that is often used involves -the use of a meta-directory. The meta-directory stores user credentials for all disparate information systems -in the format that is particular to each system. An elaborate set of management procedures is coupled with a -rigidly enforced work-flow protocol for managing user rights and privileges within the maze of systems that -are provisioned by the new infrastructure makes possible user access to all systems using a single set of user -credentials. -</p><p> -<a class="indexterm" name="id333587"></a> -<a class="indexterm" name="id333597"></a> -<a class="indexterm" name="id333606"></a> -<a class="indexterm" name="id333615"></a> -The Organization for the Advancement of Structured Information Standards (OASIS) has developed the Security -Assertion Markup Language (SAML), a structured method for communication of authentication information. The -over-all umbrella name for the technologies and methods that deploy SAML is called Federated Identity -Management (FIM). FIM depends on each system in the complex maze of disparate information systems to -authenticate their respective users and vouch for secure access to the services each provides. -</p><p> -<a class="indexterm" name="id333630"></a> -<a class="indexterm" name="id333639"></a> -<a class="indexterm" name="id333646"></a> -<a class="indexterm" name="id333653"></a> -<a class="indexterm" name="id333659"></a> -<a class="indexterm" name="id333665"></a> -SAML documents can be wrapped in a Simple Object Access Protocol (SOAP) message for the computer-to-computer -communications needed for Web services. Or they may be passed between Web servers of federated organizations -that share live services. The Liberty Alliance, an industry group formed to promote federated-identity -standards, has adopted SAML 1.1 as part of its application framework. Microsoft and IBM have proposed an -alternative specification called WS-Security. Some believe that the competing technologies and methods may -converge when the SAML 2.0 standard is introduced. A few Web access-management products support SAML today, -but implementation of the technology mostly requires customization to integrate applications and develop user -interfaces. In a nutshell, that is why FIM is a big and growing industry. -</p><p> -<a class="indexterm" name="id333687"></a> -<a class="indexterm" name="id333694"></a> -<a class="indexterm" name="id333701"></a> -<a class="indexterm" name="id333708"></a> -<a class="indexterm" name="id333714"></a> -Ignoring the bigger picture, which is beyond the scope of this book, the migration of all user and group -management to a centralized system is a step in the right direction. It is essential for interoperability -reasons to locate the identity management system data in a directory such as Microsoft Active Directory -Service (ADS), or any proprietary or open source system that provides a standard protocol for information -access (such as LDAP) and that can be coupled with a flexible array of authentication mechanisms (such as -kerberos) that use the protocols that are defined by the various general security service application -programming interface (GSSAPI) services. -</p><p> -<a class="indexterm" name="id333733"></a> -<a class="indexterm" name="id333740"></a> -<a class="indexterm" name="id333746"></a> -A growing number of companies provide authentication agents for disparate legacy platforms to permit the use -of LDAP systems. Thus the use of OpenLDAP, the dominant open source software implementation of the light -weight directory access protocol standard. This fact, means that by providing support in Samba for the use of -LDAP and Microsoft ADS make Samba a highly scalable and forward reaching organizational networking technology. -</p><p> -<a class="indexterm" name="id333760"></a> -<a class="indexterm" name="id333766"></a> -<a class="indexterm" name="id333773"></a> -<a class="indexterm" name="id333780"></a> -<a class="indexterm" name="id333787"></a> -<a class="indexterm" name="id333794"></a> -Microsoft ADS provides purely proprietary services that, with limitation, can be extended to provide a -centralized authentication infrastructure. Samba plus LDAP provides a similar opportunity for extension of a -centralized authentication architecture, but it is the fact that the Samba Team are pro-active in introducing -the extension of authentication services, using LDAP or otherwise, to applications such as SQUID (the open -source proxy server) through tools such as the <code class="literal">ntlm_auth</code> utility, that does much to create -sustainable choice and competition in the FIM market place. -</p><p> -<a class="indexterm" name="id333814"></a> -<a class="indexterm" name="id333821"></a> -<a class="indexterm" name="id333828"></a> -Primary domain control, if it is to be scalable to meet the needs of large sites, must therefore be capable of -using LDAP. The rapid adoption of OpenLDAP, and Samba configurations that use it, is ample proof that the era -of the directory has started. Samba-3 does not demand the use of LDAP, but the demand for a mechanism by which -user and group identity information can be distributed makes it an an unavoidable option. -</p><p> -<a class="indexterm" name="id333845"></a> -<a class="indexterm" name="id333852"></a> -<a class="indexterm" name="id333858"></a> -At this time, the use of Samba based BDCs, necessitates the use of LDAP. The most commonly used LDAP -implementation used by Samba sites is OpenLDAP. It is possible to use any standards compliant LDAP server. -Those known to work includes those manufactured by: IBM, CA, Novell (e-Directory), and others. -</p></div><div class="sect1" title="Basics of Domain Control"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id333870"></a>Basics of Domain Control</h2></div></div></div><p> -<a class="indexterm" name="id333878"></a> -Over the years, public perceptions of what domain control really is has taken on an almost mystical nature. -Before we branch into a brief overview of domain control, there are three basic types of domain controllers. -</p><div class="sect2" title="Domain Controller Types"><div class="titlepage"><div><div><h3 class="title"><a name="id333888"></a>Domain Controller Types</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>NT4 style Primary Domain Controller</p></li><li class="listitem"><p>NT4 style Backup Domain Controller</p></li><li class="listitem"><p>ADS Domain Controller</p></li></ul></div><p> -<a class="indexterm" name="id333913"></a> -<a class="indexterm" name="id333919"></a> -<a class="indexterm" name="id333926"></a> -<a class="indexterm" name="id333935"></a> -The <span class="emphasis"><em>Primary Domain Controller</em></span> or PDC plays an important role in MS Windows NT4. In -Windows 200x domain control architecture, this role is held by domain controllers. Folklore dictates that -because of its role in the MS Windows network, the domain controller should be the most powerful and most -capable machine in the network. As strange as it may seem to say this here, good overall network performance -dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in standalone -(domain member) servers than in the domain controllers. -</p><p> -<a class="indexterm" name="id333958"></a> -<a class="indexterm" name="id333965"></a> -<a class="indexterm" name="id333972"></a> -<a class="indexterm" name="id333978"></a> -<a class="indexterm" name="id333985"></a> -In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database. -This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key -part in NT4-type domain user authentication and in synchronization of the domain authentication -database with BDCs. -</p><p> -<a class="indexterm" name="id334000"></a> -<a class="indexterm" name="id334012"></a> -<a class="indexterm" name="id334019"></a> -<a class="indexterm" name="id334028"></a> -With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential -hierarchy of domain controllers, each with its own area of delegated control. The master domain -controller has the ability to override any downstream controller, but a downline controller has -control only over its downline. With Samba-3, this functionality can be implemented using an -LDAP-based user and machine account backend. -</p><p> -<a class="indexterm" name="id334042"></a> -<a class="indexterm" name="id334048"></a> -New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM -database (one of the registry files)<sup>[<a name="id334056" href="#ftn.id334056" class="footnote">1</a>]</sup> -</p><p> -<a class="indexterm" name="id334071"></a> -<a class="indexterm" name="id334078"></a> -<a class="indexterm" name="id334084"></a> -<a class="indexterm" name="id334091"></a> -<a class="indexterm" name="id334098"></a> -<a class="indexterm" name="id334104"></a> -The <span class="emphasis"><em>Backup Domain Controller</em></span> or BDC plays a key role in servicing network authentication -requests. The BDC is biased to answer logon requests in preference to the PDC. On a network segment that has -a BDC and a PDC, the BDC will most likely service network logon requests. The PDC will answer network logon -requests when the BDC is too busy (high load). When a user logs onto a Windows domain member client the -workstation will query the network to locate the nearest network logon server. Where a WINS server is used, -this is done via a query to the WINS server. If a netlogon server can not be found from the WINS query, or in -the absence of a WINS server, the workstation will perform a NetBIOS name lookup via a mailslot broadcast over -the UDP broadcast protocol. This means that the netlogon server that the windows client will use is influenced -by a number of variables, thus there is no simple determinant of whether a PDC or a BDC will serve a -particular logon authentication request. -</p><p> -<a class="indexterm" name="id334126"></a> -<a class="indexterm" name="id334133"></a> -A Windows NT4 BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to PDC, -the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic operation; the PDC -and BDC must be manually configured, and other appropriate changes also need to be made. -</p><p> -<a class="indexterm" name="id334146"></a> -With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be. -It is possible to promote a BDC to a PDC, and vice versa. The only method Microsoft provide to convert a -Windows NT4 domain controller to a domain member server or a standalone server is to reinstall it. The install -time choices offered are: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>Primary Domain Controller</em></span> the one that seeds the domain SAM.</p></li><li class="listitem"><p><span class="emphasis"><em>Backup Domain Controller</em></span> one that obtains a copy of the domain SAM.</p></li><li class="listitem"><p><span class="emphasis"><em>Domain Member Server</em></span> one that has no copy of the domain SAM; rather - it obtains authentication from a domain controller for all access controls.</p></li><li class="listitem"><p><span class="emphasis"><em>Standalone Server</em></span> one that plays no part in SAM synchronization, - has its own authentication database, and plays no role in domain security.</p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id334209"></a> -Algin Technology LLC provide a commercial tool that makes it possible to promote a Windows NT4 standalone -server to a PDC or a BDC, and also permits this process to be reversed. Refer to the <a class="ulink" href="http://utools.com/UPromote.asp" target="_top">Algin</a> web site for further information. -</p></div><p> -<a class="indexterm" name="id334226"></a> -<a class="indexterm" name="id334238"></a> -Samba-3 servers can readily be converted to and from domain controller roles through simple changes to the -<code class="filename">smb.conf</code> file. Samba-3 is capable of acting fully as a native member of a Windows 200x server Active -Directory domain. -</p><p> -<a class="indexterm" name="id334255"></a> -For the sake of providing a complete picture, MS Windows 2000 domain control configuration is done after the server has been -installed. Please refer to Microsoft documentation for the procedures that should be followed to convert a -domain member server to or from a domain control, and to install or remove active directory service support. -</p><p> -<a class="indexterm" name="id334271"></a> -<a class="indexterm" name="id334280"></a> -New to Samba-3 is the ability to function fully as an MS Windows NT4-style domain controller, -excluding the SAM replication components. However, please be aware that Samba-3 also supports the -MS Windows 200x domain control protocols. -</p><p> -<a class="indexterm" name="id334294"></a> -At this time any appearance that Samba-3 is capable of acting as a <span class="emphasis"><em>domain controller</em></span> in -native ADS mode is limited and experimental in nature. This functionality should not be used until the Samba -Team offers formal support for it. At such a time, the documentation will be revised to duly reflect all -configuration and management requirements. Samba can act as a NT4-style domain controller in a Windows 2000/XP -environment. However, there are certain compromises: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>No machine policy files.</p></li><li class="listitem"><p>No Group Policy Objects.</p></li><li class="listitem"><p>No synchronously executed Active Directory logon scripts.</p></li><li class="listitem"><p>Can't use Active Directory management tools to manage users and machines.</p></li><li class="listitem"><p>Registry changes tattoo the main registry, while with Active Directory they do not leave - permanent changes in effect.</p></li><li class="listitem"><p>Without Active Directory you cannot perform the function of exporting specific - applications to specific users or groups.</p></li></ul></div></div><div class="sect2" title="Preparing for Domain Control"><div class="titlepage"><div><div><h3 class="title"><a name="id334343"></a>Preparing for Domain Control</h3></div></div></div><p> -<a class="indexterm" name="id334351"></a> -<a class="indexterm" name="id334358"></a> -<a class="indexterm" name="id334365"></a> -<a class="indexterm" name="id334372"></a> -There are two ways that MS Windows machines may interact with each other, with other servers, -and with domain controllers: either as <span class="emphasis"><em>standalone</em></span> systems, more commonly -called <span class="emphasis"><em>workgroup</em></span> members, or as full participants in a security system, -more commonly called <span class="emphasis"><em>domain</em></span> members. -</p><p> -<a class="indexterm" name="id334395"></a> -<a class="indexterm" name="id334402"></a> -<a class="indexterm" name="id334411"></a> -It should be noted that workgroup membership involves no special configuration other than the machine being -configured so the network configuration has a commonly used name for its workgroup entry. It is not uncommon -for the name WORKGROUP to be used for this. With this mode of configuration, there are no Machine Trust -Accounts, and any concept of membership as such is limited to the fact that all machines appear in the network -neighborhood to be logically grouped together. Again, just to be clear: <span class="emphasis"><em>workgroup mode does not -involve security machine accounts</em></span>. -</p><p> -<a class="indexterm" name="id334429"></a> -<a class="indexterm" name="id334436"></a> -<a class="indexterm" name="id334445"></a> -Domain member machines have a machine trust account in the domain accounts database. A special procedure -must be followed on each machine to effect domain membership. This procedure, which can be done -only by the local machine Administrator account, creates the domain machine account (if it does -not exist), and then initializes that account. When the client first logs onto the -domain, a machine trust account password change will be automatically triggered. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id334460"></a> -When Samba is configured as a domain controller, secure network operation demands that -all MS Windows NT4/200x/XP Professional clients should be configured as domain members. -If a machine is not made a member of the domain, then it will operate like a workgroup -(standalone) machine. Please refer to <a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a>, for -information regarding domain membership. -</p></div><p> -The following are necessary for configuring Samba-3 as an MS Windows NT4-style PDC for MS Windows -NT4/200x/XP clients: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Configuration of basic TCP/IP and MS Windows networking.</p></li><li class="listitem"><p>Correct designation of the server role (<a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a>).</p></li><li class="listitem"><p>Consistent configuration of name resolution.<sup>[<a name="id334510" href="#ftn.id334510" class="footnote">2</a>]</sup></p></li><li class="listitem"><p>Domain logons for Windows NT4/200x/XP Professional clients.</p></li><li class="listitem"><p>Configuration of roaming profiles or explicit configuration to force local profile usage.</p></li><li class="listitem"><p>Configuration of network/system policies.</p></li><li class="listitem"><p>Adding and managing domain user accounts.</p></li><li class="listitem"><p>Configuring MS Windows NT4/2000 Professional and Windows XP Professional client machines to become domain members.</p></li></ul></div><p> -The following provisions are required to serve MS Windows 9x/Me clients: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Configuration of basic TCP/IP and MS Windows networking.</p></li><li class="listitem"><p>Correct designation of the server role (<a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a>).</p></li><li class="listitem"><p>Network logon configuration (since Windows 9x/Me/XP Home are not technically domain - members, they do not really participate in the security aspects of Domain logons as such).</p></li><li class="listitem"><p>Roaming profile configuration.</p></li><li class="listitem"><p>Configuration of system policy handling.</p></li><li class="listitem"><p>Installation of the network driver <span class="quote">“<span class="quote">Client for MS Windows Networks</span>”</span> and configuration - to log onto the domain.</p></li><li class="listitem"><p>Placing Windows 9x/Me clients in user-level security if it is desired to allow - all client-share access to be controlled according to domain user/group identities.</p></li><li class="listitem"><p>Adding and managing domain user accounts.</p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id334622"></a> -<a class="indexterm" name="id334628"></a> -Roaming profiles and system/network policies are advanced network administration topics -that are covered in <a class="link" href="ProfileMgmt.html" title="Chapter 27. Desktop Profile Management">Desktop Profile Management</a> and -<a class="link" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account Policies</a> of this document. However, these are not -necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts. -</p></div><p> -A domain controller is an SMB/CIFS server that: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id334662"></a> - <a class="indexterm" name="id334671"></a> - <a class="indexterm" name="id334677"></a> - <a class="indexterm" name="id334684"></a> - <a class="indexterm" name="id334691"></a> - Registers and advertises itself as a domain controller (through NetBIOS broadcasts - as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast, - to a WINS server over UDP unicast, or via DNS and Active Directory). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id334704"></a> - <a class="indexterm" name="id334711"></a> - Provides the NETLOGON service. (This is actually a collection of services that runs over - multiple protocols. These include the LanMan logon service, the Netlogon service, - the Local Security Account service, and variations of them.) - </p></li><li class="listitem"><p> - Provides a share called NETLOGON. - </p></li></ul></div><p> -<a class="indexterm" name="id334729"></a> -<a class="indexterm" name="id334741"></a> -<a class="indexterm" name="id334752"></a> -<a class="indexterm" name="id334759"></a> -<a class="indexterm" name="id334766"></a> -It is rather easy to configure Samba to provide these. Each Samba domain controller must provide the NETLOGON -service that Samba calls the <a class="link" href="smb.conf.5.html#DOMAINLOGONS" target="_top">domain logons</a> functionality (after the name of the -parameter in the <code class="filename">smb.conf</code> file). Additionally, one server in a Samba-3 domain must advertise itself as the -domain master browser.<sup>[<a name="id334793" href="#ftn.id334793" class="footnote">3</a>]</sup> This causes the PDC to claim a domain-specific NetBIOS name that identifies -it as a DMB for its given domain or workgroup. Local master browsers (LMBs) in the same domain or workgroup on -broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide-area network. -Browser clients then contact their LMB, and will receive the domain-wide browse list instead of just the list -for their broadcast-isolated subnet. -</p></div></div><div class="sect1" title="Domain Control: Example Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id334811"></a>Domain Control: Example Configuration</h2></div></div></div><p> -The first step in creating a working Samba PDC is to understand the parameters necessary -in <code class="filename">smb.conf</code>. An example <code class="filename">smb.conf</code> for acting as a PDC can be found in <a class="link" href="samba-pdc.html#pdc-example" title="Example 4.1. smb.conf for being a PDC">the -smb.conf file for an example PDC</a>. -</p><div class="example"><a name="pdc-example"></a><p class="title"><b>Example 4.1. smb.conf for being a PDC</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id334864"></a></td></tr><tr><td><a class="indexterm" name="id334871"></a></td></tr><tr><td><a class="indexterm" name="id334878"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id334889"></a><em class="parameter"><code>os level = 33</code></em></td></tr><tr><td><a class="indexterm" name="id334900"></a><em class="parameter"><code>preferred master = auto</code></em></td></tr><tr><td><a class="indexterm" name="id334912"></a><em class="parameter"><code>domain master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id334923"></a><em class="parameter"><code>local master = yes</code></em></td></tr><tr><td><a class="indexterm" name="id334935"></a><em class="parameter"><code>security = user</code></em></td></tr><tr><td><a class="indexterm" name="id334946"></a><em class="parameter"><code>domain logons = yes</code></em></td></tr><tr><td><a class="indexterm" name="id334958"></a><em class="parameter"><code>logon path = \\%N\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id334969"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id334981"></a><em class="parameter"><code>logon home = \\homeserver\%U\winprofile</code></em></td></tr><tr><td><a class="indexterm" name="id334992"></a><em class="parameter"><code>logon script = logon.cmd</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id335013"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id335025"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id335036"></a></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id335052"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id335063"></a><em class="parameter"><code>read only = no</code></em></td></tr><tr><td><a class="indexterm" name="id335075"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id335086"></a><em class="parameter"><code>directory mask = 0700</code></em></td></tr></table></div></div><br class="example-break"><p> -The basic options shown in <a class="link" href="samba-pdc.html#pdc-example" title="Example 4.1. smb.conf for being a PDC">this example</a> are explained as follows: -</p><div class="variablelist"><dl><dt><span class="term">passdb backend </span></dt><dd><p> - <a class="indexterm" name="id335119"></a> - <a class="indexterm" name="id335129"></a> - <a class="indexterm" name="id335135"></a> - <a class="indexterm" name="id335142"></a> - <a class="indexterm" name="id335149"></a> - <a class="indexterm" name="id335156"></a> - This contains all the user and group account information. Acceptable values for a PDC - are: <span class="emphasis"><em>smbpasswd, tdbsam, and ldapsam</em></span>. The <span class="quote">“<span class="quote">guest</span>”</span> entry provides - default accounts and is included by default; there is no need to add it explicitly. - </p><p> - <a class="indexterm" name="id335175"></a> - <a class="indexterm" name="id335182"></a> - <a class="indexterm" name="id335189"></a> - <a class="indexterm" name="id335196"></a> - Where use of BDCs is intended, the only logical choice is - to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files - cannot effectively be distributed and therefore should not be used. - </p></dd><dt><span class="term">Domain Control Parameters </span></dt><dd><p> - <a class="indexterm" name="id335214"></a> - <a class="indexterm" name="id335221"></a> - <a class="indexterm" name="id335228"></a> - <a class="indexterm" name="id335235"></a> - The parameters <span class="emphasis"><em>os level, preferred master, domain master, security, - encrypt passwords</em></span>, and <span class="emphasis"><em>domain logons</em></span> play a central role in assuring domain - control and network logon support. - </p><p> - <a class="indexterm" name="id335256"></a> - <a class="indexterm" name="id335262"></a> - The <span class="emphasis"><em>os level</em></span> must be set at or above a value of 32. A domain controller - must be the DMB, must be set in <span class="emphasis"><em>user</em></span> mode security, - must support Microsoft-compatible encrypted passwords, and must provide the network logon - service (domain logons). Encrypted passwords must be enabled. For more details on how - to do this, refer to <a class="link" href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a>. - </p></dd><dt><span class="term">Environment Parameters </span></dt><dd><p> - <a class="indexterm" name="id335296"></a> - <a class="indexterm" name="id335303"></a> - <a class="indexterm" name="id335310"></a> - <a class="indexterm" name="id335317"></a> - The parameters <span class="emphasis"><em>logon path, logon home, logon drive</em></span>, and <span class="emphasis"><em>logon script</em></span> are - environment support settings that help to facilitate client logon operations and that help - to provide automated control facilities to ease network management overheads. Please refer - to the man page information for these parameters. - </p></dd><dt><span class="term">NETLOGON Share </span></dt><dd><p> - <a class="indexterm" name="id335343"></a> - <a class="indexterm" name="id335350"></a> - <a class="indexterm" name="id335357"></a> - <a class="indexterm" name="id335364"></a> - <a class="indexterm" name="id335370"></a> - <a class="indexterm" name="id335377"></a> - The NETLOGON share plays a central role in domain logon and domain membership support. - This share is provided on all Microsoft domain controllers. It is used to provide logon - scripts, to store group policy files (NTConfig.POL), as well as to locate other common - tools that may be needed for logon processing. This is an essential share on a domain controller. - </p></dd><dt><span class="term">PROFILE Share </span></dt><dd><p> - <a class="indexterm" name="id335397"></a> - <a class="indexterm" name="id335404"></a> - <a class="indexterm" name="id335410"></a> - <a class="indexterm" name="id335417"></a> - <a class="indexterm" name="id335424"></a> - This share is used to store user desktop profiles. Each user must have a directory at the root - of this share. This directory must be write-enabled for the user and must be globally read-enabled. - Samba-3 has a VFS module called <span class="quote">“<span class="quote">fake_permissions</span>”</span> that may be installed on this share. This will - allow a Samba administrator to make the directory read-only to everyone. Of course this is useful - only after the profile has been properly created. - </p></dd></dl></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The above parameters make for a full set of functionality that may define the server's mode -of operation. The following <code class="filename">smb.conf</code> parameters are the essentials alone: -</p><p> -</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id335459"></a><em class="parameter"><code>netbios name = BELERIAND</code></em></td></tr><tr><td><a class="indexterm" name="id335471"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id335482"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id335494"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id335505"></a><em class="parameter"><code>security = User</code></em></td></tr></table><p> -</p><p> -The additional parameters shown in the longer listing in this section just make for -a more complete explanation. -</p></div></div><div class="sect1" title="Samba ADS Domain Control"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id335523"></a>Samba ADS Domain Control</h2></div></div></div><p> -<a class="indexterm" name="id335531"></a> -Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as an Active Directory -PDC. The protocols for some of the functionality of Active Directory domain controllers has been partially -implemented on an experimental only basis. Please do not expect Samba-3 to support these protocols. Do not -depend on any such functionality either now or in the future. The Samba Team may remove these experimental -features or may change their behavior. This is mentioned for the benefit of those who have discovered secret -capabilities in Samba-3 and who have asked when this functionality will be completed. The answer is maybe -someday or maybe never! -</p><p> -<a class="indexterm" name="id335547"></a> -<a class="indexterm" name="id335554"></a> -To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style -domain controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have -a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it -is not Windows Server 200x: it is not an Active Directory server. We hope this is plain and simple -enough for all to understand. -</p></div><div class="sect1" title="Domain and Network Logon Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id335566"></a>Domain and Network Logon Configuration</h2></div></div></div><p> -<a class="indexterm" name="id335574"></a> -The subject of network or domain logons is discussed here because it forms -an integral part of the essential functionality that is provided by a domain controller. -</p><div class="sect2" title="Domain Network Logon Service"><div class="titlepage"><div><div><h3 class="title"><a name="id335583"></a>Domain Network Logon Service</h3></div></div></div><p> -<a class="indexterm" name="id335591"></a> -All domain controllers must run the netlogon service (<span class="emphasis"><em>domain logons</em></span> -in Samba). One domain controller must be configured with <a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = Yes</a> -(the PDC); on all BDCs set the parameter <a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = No</a>. -</p><div class="sect3" title="Example Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id335627"></a>Example Configuration</h4></div></div></div><div class="example"><a name="PDC-config"></a><p class="title"><b>Example 4.2. smb.conf for being a PDC</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id335656"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id335667"></a><em class="parameter"><code>domain master = (Yes on PDC, No on BDCs)</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id335688"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id335700"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id335711"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id335723"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" title="The Special Case of MS Windows XP Home Edition"><div class="titlepage"><div><div><h4 class="title"><a name="id335736"></a>The Special Case of MS Windows XP Home Edition</h4></div></div></div><p> -<a class="indexterm" name="id335744"></a> -To be completely clear: If you want MS Windows XP Home Edition to integrate with your -MS Windows NT4 or Active Directory domain security, understand it cannot be done. -The only option is to purchase the upgrade from MS Windows XP Home Edition to -MS Windows XP Professional. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -MS Windows XP Home Edition does not have the ability to join any type of domain -security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely -lacks the ability to log onto a network. -</p></div><p> -Now that this has been said, please do not ask the mailing list or email any of the -Samba Team members with your questions asking how to make this work. It can't be done. -If it can be done, then to do so would violate your software license agreement with -Microsoft, and we recommend that you do not do that. -</p></div><div class="sect3" title="The Special Case of Windows 9x/Me"><div class="titlepage"><div><div><h4 class="title"><a name="id335768"></a>The Special Case of Windows 9x/Me</h4></div></div></div><p> -<a class="indexterm" name="id335775"></a> -<a class="indexterm" name="id335782"></a> -<a class="indexterm" name="id335789"></a> -<a class="indexterm" name="id335796"></a> -<a class="indexterm" name="id335803"></a> -A domain and a workgroup are exactly the same in terms of network -browsing. The difference is that a distributable authentication -database is associated with a domain, for secure login access to a -network. Also, different access rights can be granted to users if they -successfully authenticate against a domain logon server. Samba-3 does this -now in the same way as MS Windows NT/200x. -</p><p> -<a class="indexterm" name="id335816"></a> -The SMB client logging on to a domain has an expectation that every other -server in the domain should accept the same authentication information. -Network browsing functionality of domains and workgroups is identical and -is explained in this documentation under the browsing discussions. -It should be noted that browsing is totally orthogonal to logon support. -</p><p> -<a class="indexterm" name="id335829"></a> -<a class="indexterm" name="id335836"></a> -<a class="indexterm" name="id335843"></a> -Issues related to the single-logon network model are discussed in this -section. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for Workgroups and MS Windows 9x/Me clients, -which are the focus of this section. -</p><p> -<a class="indexterm" name="id335855"></a> -When an SMB client in a domain wishes to log on, it broadcasts requests for a logon server. The first one to -reply gets the job and validates its password using whatever mechanism the Samba administrator has installed. -It is possible (but ill advised) to create a domain where the user database is not shared between servers; -that is, they are effectively workgroup servers advertising themselves as participating in a domain. This -demonstrates how authentication is quite different from but closely involved with domains. -</p><p> -Using these features, you can make your clients verify their logon via -the Samba server, make clients run a batch file when they log on to -the network and download their preferences, desktop, and start menu. -</p><p><span class="emphasis"><em> -MS Windows XP Home edition is not able to join a domain and does not permit the use of domain logons. -</em></span></p><p> -Before launching into the configuration instructions, it is worthwhile to look at how a Windows 9x/Me client -performs a logon: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> - <a class="indexterm" name="id335893"></a> - <a class="indexterm" name="id335900"></a> - The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1C> at the - NetBIOS layer. The client chooses the first response it receives, which - contains the NetBIOS name of the logon server to use in the format of - <code class="filename">\\SERVER</code>. The <code class="literal">1C</code> name is the name - type that is registered by domain controllers (SMB/CIFS servers that provide - the netlogon service). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id335933"></a> - <a class="indexterm" name="id335940"></a> - <a class="indexterm" name="id335946"></a> - The client connects to that server, logs on (does an SMBsessetupX) and - then connects to the IPC$ share (using an SMBtconX). - </p></li><li class="listitem"><p> - <a class="indexterm" name="id335961"></a> - The client does a NetWkstaUserLogon request, which retrieves the name - of the user's logon script. - </p></li><li class="listitem"><p> - The client then connects to the NetLogon share and searches for said script. - If it is found and can be read, it is retrieved and executed by the client. - After this, the client disconnects from the NetLogon share. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id335983"></a> - <a class="indexterm" name="id335990"></a> - The client sends a NetUserGetInfo request to the server to retrieve - the user's home share, which is used to search for profiles. Since the - response to the NetUserGetInfo request does not contain much more than - the user's home share, profiles for Windows 9x clients must reside in the user - home directory. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id336006"></a> - The client connects to the user's home share and searches for the - user's profile. As it turns out, you can specify the user's home share as - a share name and path. For example, <code class="filename">\\server\fred\.winprofile</code>. - If the profiles are found, they are implemented. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id336027"></a> - The client then disconnects from the user's home share and reconnects to - the NetLogon share and looks for <code class="filename">CONFIG.POL</code>, the policies file. If this is - found, it is read and implemented. - </p></li></ol></div><p> -The main difference between a PDC and a Windows 9x/Me logon server configuration is: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <a class="indexterm" name="id336054"></a> - <a class="indexterm" name="id336063"></a> - Password encryption is not required for a Windows 9x/Me logon server. But note - that beginning with MS Windows 98 the default setting is that plaintext - password support is disabled. It can be re-enabled with the registry - changes that are documented in <a class="link" href="PolicyMgmt.html" title="Chapter 26. System and Account Policies">System and Account Policies</a>. - </p></li><li class="listitem"><p> - <a class="indexterm" name="id336084"></a> - Windows 9x/Me clients do not require and do not use Machine Trust Accounts. - </p></li></ul></div><p> -<a class="indexterm" name="id336095"></a> -A Samba PDC will act as a Windows 9x/Me logon server; after all, it does provide the -network logon services that MS Windows 9x/Me expect to find. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id336108"></a> -Use of plaintext passwords is strongly discouraged. Where used they are easily detected -using a sniffer tool to examine network traffic. -</p></div></div></div><div class="sect2" title="Security Mode and Master Browsers"><div class="titlepage"><div><div><h3 class="title"><a name="id336119"></a>Security Mode and Master Browsers</h3></div></div></div><p> -<a class="indexterm" name="id336127"></a> -<a class="indexterm" name="id336134"></a> -<a class="indexterm" name="id336140"></a> -There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue -of whether it is okay to configure Samba as a domain controller that operates with security mode other than -user-mode. The only security mode that will not work due to technical reasons is share-mode security. Domain -and server mode security are really just a variation on SMB user-level security. -</p><p> -<a class="indexterm" name="id336157"></a> -<a class="indexterm" name="id336164"></a> -<a class="indexterm" name="id336171"></a> -<a class="indexterm" name="id336177"></a> -<a class="indexterm" name="id336184"></a> -<a class="indexterm" name="id336191"></a> -<a class="indexterm" name="id336198"></a> -Actually, this issue is also closely tied to the debate on whether Samba must be the DMB for its workgroup -when operating as a domain controller. In a pure Microsoft Windows NT domain, the PDC wins the election to be -the DMB, and then registers the DOMAIN<1B> NetBIOS name. This is not the name used by Windows clients -to locate the domain controller, all domain controllers register the DOMAIN<1C> name and Windows clients -locate a network logon server by seraching for the DOMAIN<1C> name. A DMB is a Domain Master Browser - see <a class="link" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">The Network Browsing Chapter</a>, <a class="link" href="NetworkBrowsing.html#DMB" title="Configuring Workgroup Browsing">Configuring WORKGROUP Browsing</a>; Microsoft PDCs expect to win the election to become the -DMB, if it loses that election it will report a continuous and rapid sequence of warning messages to its -Windows event logger complaining that it has lost the election to become a DMB. For this reason, in networks -where a Samba server is the PDC it is wise to configure the Samba domain controller as the DMB. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id336238"></a> -<a class="indexterm" name="id336245"></a> -<a class="indexterm" name="id336251"></a> -<a class="indexterm" name="id336258"></a> -<a class="indexterm" name="id336265"></a> -SMB/CIFS servers that register the DOMAIN<1C> name do so because they provide the network logon -service. Server that register the DOMAIN<1B> name are DMBs meaning that they are responsible -for browse list synchronization across all machines that have registered the DOMAIN<1D> name. The later -are LMBs that have the responsibility to listen to all NetBIOS name registrations that occur locally to their -own network segment. The network logon service (NETLOGON) is germane to domain control and has nothing to do -with network browsing and browse list management. The 1C and 1B/1D name services are orthogonal to each -other. -</p></div><p> -Now back to the issue of configuring a Samba domain controller to use a mode other than <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a>. If a Samba host is configured to use another SMB server or domain -controller in order to validate user connection requests, it is a fact that some other machine on the network -(the <a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a>) knows more about the user than the Samba host. About 99 percent -of the time, this other host is a domain controller. Now to operate in domain mode security, the -<a class="link" href="smb.conf.5.html#WORKGROUP" target="_top">workgroup</a> parameter must be set to the name of the Windows NT domain (which already -has a domain controller). If the domain does not already have a domain controller, you do not yet have a -domain. -</p><p> -Configuring a Samba box as a domain controller for a domain that already by definition has a -PDC is asking for trouble. Therefore, you should always configure the Samba domain controller -to be the DMB for its domain and set <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = user</a>. -This is the only officially supported mode of operation. -</p></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id336354"></a>Common Errors</h2></div></div></div><div class="sect2" title="“$” Cannot Be Included in Machine Name"><div class="titlepage"><div><div><h3 class="title"><a name="id336359"></a><span class="quote">“<span class="quote">$</span>”</span> Cannot Be Included in Machine Name</h3></div></div></div><p> -<a class="indexterm" name="id336369"></a> -<a class="indexterm" name="id336376"></a> -<a class="indexterm" name="id336383"></a> -A machine account, typically stored in <code class="filename">/etc/passwd</code>, takes the form of the machine -name with a <span class="quote">“<span class="quote">$</span>”</span> appended. Some BSD systems will not create a user with a <span class="quote">“<span class="quote">$</span>”</span> in the name. -Recent versions of FreeBSD have removed this limitation, but older releases are still in common use. -</p><p> -<a class="indexterm" name="id336408"></a> -The problem is only in the program used to make the entry. Once made, it works perfectly. Create a user -without the <span class="quote">“<span class="quote">$</span>”</span>. Then use <code class="literal">vipw</code> to edit the entry, adding the <span class="quote">“<span class="quote">$</span>”</span>. -Or create the whole entry with vipw if you like; make sure you use a unique user login ID. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The machine account must have the exact name that the workstation has.</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -The UNIX tool <code class="literal">vipw</code> is a common tool for directly editing the <code class="filename">/etc/passwd</code> file. -The use of vipw will ensure that shadow files (where used) will remain current with the passwd file. This is -important for security reasons. -</p></div></div><div class="sect2" title="Joining Domain Fails Because of Existing Machine Account"><div class="titlepage"><div><div><h3 class="title"><a name="id336454"></a>Joining Domain Fails Because of Existing Machine Account</h3></div></div></div><p> -<a class="indexterm" name="id336462"></a> -<span class="quote">“<span class="quote">I get told, `You already have a connection to the Domain....' or `Cannot join domain, the -credentials supplied conflict with an existing set...' when creating a Machine Trust Account.</span>”</span> -</p><p> -This happens if you try to create a Machine Trust Account from the machine itself and already have a -connection (e.g., mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all -network drive connections: -</p><pre class="screen"> -<code class="prompt">C:\> </code><strong class="userinput"><code>net use * /d</code></strong> -</pre><p> -This will break all network connections. -</p><p> -Further, if the machine is already a <span class="quote">“<span class="quote">member of a workgroup</span>”</span> that is the same name as the domain -you are joining (bad idea), you will get this message. Change the workgroup name to something else -it does not matter what reboot, and try again. -</p></div><div class="sect2" title="The System Cannot Log You On (C000019B)"><div class="titlepage"><div><div><h3 class="title"><a name="id336513"></a>The System Cannot Log You On (C000019B)</h3></div></div></div><p><span class="quote">“<span class="quote"> -I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, -<span class="errorname">`The system cannot log you on (C000019B). Please try again or consult your system -administrator</span> when attempting to logon.'</span>”</span> -</p><p> -<a class="indexterm" name="id336530"></a> -This occurs when the domain SID stored in the secrets.tdb database is changed. The most common cause of a -change in domain SID is when the domain name and/or the server name (NetBIOS name) is changed. The only way -to correct the problem is to restore the original domain SID or remove the domain client from the domain and -rejoin. The domain SID may be reset using either the net or rpcclient utilities. -</p><p> -To reset or change the domain SID you can use the net command as follows: - -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>net getlocalsid 'OLDNAME'</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>net setlocalsid 'SID'</code></strong> -</pre><p> -</p><p> -Workstation Machine Trust Accounts work only with the domain (or network) SID. If this SID changes, -domain members (workstations) will not be able to log onto the domain. The original domain SID -can be recovered from the secrets.tdb file. The alternative is to visit each workstation to rejoin -it to the domain. -</p></div><div class="sect2" title="The Machine Trust Account Is Not Accessible"><div class="titlepage"><div><div><h3 class="title"><a name="id336578"></a>The Machine Trust Account Is Not Accessible</h3></div></div></div><p> -<span class="quote">“<span class="quote">When I try to join the domain I get the message, <span class="errorname">"The machine account -for this computer either does not exist or is not accessible</span>." What's wrong?</span>”</span> -</p><p> -This problem is caused by the PDC not having a suitable Machine Trust Account. If you are using the -<a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> method to create accounts, then this would indicate that it has not -worked. Ensure the domain admin user system is working. -</p><p> -Alternately, if you are creating account entries manually, then they have not been created correctly. Make -sure that you have the entry correct for the Machine Trust Account in <code class="filename">smbpasswd</code> file on -the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure -that the account name is the machine NetBIOS name with a <span class="quote">“<span class="quote">$</span>”</span> appended to it (i.e., -computer_name$). There must be an entry in both the POSIX UNIX system account backend as well as in the -SambaSAMAccount backend. The default backend for Samba-3 (i.e., the parameter <em class="parameter"><code>passdb -backend</code></em> is not specified in the <code class="filename">smb.conf</code> file, or if specified is set to -<code class="literal">smbpasswd</code>, are respectively the <code class="filename">/etc/passwd</code> and -<code class="filename">/etc/samba/smbpasswd</code> (or <code class="filename">/usr/local/samba/lib/private/smbpasswd</code> if -compiled using Samba Team default settings). The use of the <code class="filename">/etc/passwd</code> can be overridden -by alternative settings in the NSS <code class="filename">/etc/nsswitch.conf</code> file. -</p><p> -Some people have also reported that inconsistent subnet masks between the Samba server and the NT -client can cause this problem. Make sure that these are consistent for both client and server. -</p></div><div class="sect2" title="Account Disabled"><div class="titlepage"><div><div><h3 class="title"><a name="id336685"></a>Account Disabled</h3></div></div></div><p><span class="quote">“<span class="quote">When I attempt to log in to a Samba domain from a NT4/W200x workstation, -I get a message about my account being disabled.</span>”</span></p><p> -Enable the user accounts with <strong class="userinput"><code>smbpasswd -e <em class="replaceable"><code>username</code></em> -</code></strong>. This is normally done as an account is created. -</p></div><div class="sect2" title="Domain Controller Unavailable"><div class="titlepage"><div><div><h3 class="title"><a name="id336710"></a>Domain Controller Unavailable</h3></div></div></div><p><span class="quote">“<span class="quote">Until a few minutes after Samba has started, clients get the error `Domain Controller Unavailable'</span>”</span></p><p> -A domain controller has to announce its role on the network. This usually takes a while. Be patient for up to 15 minutes, -then try again. -</p></div><div class="sect2" title="Cannot Log onto Domain Member Workstation After Joining Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id336727"></a>Cannot Log onto Domain Member Workstation After Joining Domain</h3></div></div></div><p> -<a class="indexterm" name="id336735"></a> -<a class="indexterm" name="id336742"></a> -After successfully joining the domain, user logons fail with one of two messages: one to the -effect that the domain controller cannot be found; the other claims that the account does not -exist in the domain or that the password is incorrect. This may be due to incompatible -settings between the Windows client and the Samba-3 server for <span class="emphasis"><em>schannel</em></span> -(secure channel) settings or <span class="emphasis"><em>smb signing</em></span> settings. Check your Samba -settings for <span class="emphasis"><em>client schannel</em></span>, <span class="emphasis"><em>server schannel</em></span>, -<span class="emphasis"><em>client signing</em></span>, <span class="emphasis"><em>server signing</em></span> by executing: -</p><pre class="screen"> -<code class="literal">testparm -v | grep channel</code> and looking for the value of these parameters. -</pre><p> -</p><p> -Also use the MMC Local Security Settings. This tool is available from the -Control Panel. The Policy settings are found in the Local Policies/Security Options area and are prefixed by -<span class="emphasis"><em>Secure Channel:..., and Digitally sign...</em></span>. -</p><p> -It is important that these be set consistently with the Samba-3 server settings. -</p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id334056" href="#id334056" class="para">1</a>] </sup>See also <a class="link" href="passdb.html" title="Chapter 11. Account Information Databases">Account Information -Databases</a>.</p></div><div class="footnote"><p><sup>[<a name="ftn.id334510" href="#id334510" class="para">2</a>] </sup>See <a class="link" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network Browsing</a>, and - <a class="link" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba">Integrating MS Windows Networks with Samba</a>.</p></div><div class="footnote"><p><sup>[<a name="ftn.id334793" href="#id334793" class="para">3</a>] </sup>See <a class="link" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing">Network -Browsing</a>.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Server Types and Security Modes </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Backup Domain Control</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/samba.css b/docs/htmldocs/Samba3-HOWTO/samba.css deleted file mode 100644 index 3d926e8e74..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/samba.css +++ /dev/null @@ -1,80 +0,0 @@ -BODY { - font-family: helvetica, arial, lucida sans, sans-serif; - background-color: white; -} - -H1, H2, H3 { - color: blue; - font-size: 120%; - padding: 2px; - margin-top: 0px; -} - -H1 { - background-color: #EEEEFF; - color: blue; -} - -H2 { - background-color: #DDDDFF; - color: blue; -} - -H3 { - background-color: #CCCCFF; - color: blue; -} - -H4 { - color: blue; -} - -TR.qandadiv TD { - padding-top: 1em; -} - -DIV.navhead { - font-size: 80%; -} - -A:link { - color: #36F; -} - -A:visited { - color: #96C; -} - -A:active { - color: #F63; -} - -TR.question { - color: #33C; - font-weight: bold; -} - -TR.question TD { - padding-top: 1em; -} - -DIV.variablelist { - padding-left: 2em; - color: #33C; -} - -P { - color: black; -} - -DIV.note, DIV.warning, DIV.caution, DIV.tip, DIV.important { - border: dashed 1px; - background-color: #EEEEFF; - width: 40em; -} - -PRE.programlisting, PRE.screen { - border: #630 1px dashed; - color: #630; -} - diff --git a/docs/htmldocs/Samba3-HOWTO/securing-samba.html b/docs/htmldocs/Samba3-HOWTO/securing-samba.html deleted file mode 100644 index 60234fbcb7..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/securing-samba.html +++ /dev/null @@ -1,263 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 18. Securing Samba</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="locking.html" title="Chapter 17. File and Record Locking"><link rel="next" href="InterdomainTrusts.html" title="Chapter 19. Interdomain Trust Relationships"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 18. Securing Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 18. Securing Samba"><div class="titlepage"><div><div><h2 class="title"><a name="securing-samba"></a>Chapter 18. Securing Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 26, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="securing-samba.html#id385260">Introduction</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id385353">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id385488">Technical Discussion of Protective Measures and Issues</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id385501">Using Host-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id385646">User-Based Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id385704">Using Interface Protection</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#firewallports">Using a Firewall</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386031">Using IPC$ Share-Based Denials </a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386164">NTLMv2 Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="securing-samba.html#id386212">Upgrading Samba</a></span></dt><dt><span class="sect1"><a href="securing-samba.html#id386253">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="securing-samba.html#id386268">Smbclient Works on Localhost, but the Network Is Dead</a></span></dt><dt><span class="sect2"><a href="securing-samba.html#id386293">Why Can Users Access Other Users' Home Directories?</a></span></dt></dl></dd></dl></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385260"></a>Introduction</h2></div></div></div><p> -<a class="indexterm" name="id385267"></a> -<a class="indexterm" name="id385274"></a> -<a class="indexterm" name="id385281"></a> -<a class="indexterm" name="id385288"></a> -<a class="indexterm" name="id385295"></a> -<a class="indexterm" name="id385301"></a> -<a class="indexterm" name="id385308"></a> -The information contained in this chapter applies in general to all Samba installations. Security is -everyone's concern in the information technology world. A surprising number of Samba servers are being -installed on machines that have direct internet access, thus security is made more critical than it would have been had the -server been located behind a firewall and on a private network. Paranoia regarding server security is causing -some network administrators to insist on the installation of robust firewalls even on servers that are located -inside secured networks. This chapter provides information to assist the administrator who understands -how to create the needed barriers and deterents against <span class="quote">“<span class="quote">the enemy</span>”</span>, no matter where [s]he may -come from. -</p><div class="blockquote"><blockquote class="blockquote"><p> -A new apprentice reported for duty to the chief engineer of a boiler house. He said, <span class="quote">“<span class="quote">Here I am, -if you will show me the boiler I'll start working on it.</span>”</span> Then engineer replied, <span class="quote">“<span class="quote">You're leaning -on it!</span>”</span> -</p></blockquote></div><p> -Security concerns are just like that. You need to know a little about the subject to appreciate -how obvious most of it really is. The challenge for most of us is to discover that first morsel -of knowledge with which we may unlock the secrets of the masters. -</p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385353"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id385361"></a> -<a class="indexterm" name="id385368"></a> -<a class="indexterm" name="id385375"></a> -<a class="indexterm" name="id385382"></a> -There are three levels at which security principles must be observed in order to render a site -at least moderately secure. They are the perimeter firewall, the configuration of the host -server that is running Samba, and Samba itself. -</p><p> -Samba permits a most flexible approach to network security. As far as possible Samba implements -the latest protocols to permit more secure MS Windows file and print operations. -</p><p> -<a class="indexterm" name="id385398"></a> -<a class="indexterm" name="id385405"></a> -<a class="indexterm" name="id385412"></a> -Samba can be secured from connections that originate from outside the local network. This can be done using -<span class="emphasis"><em>host-based protection</em></span>, using Samba's implementation of a technology known as -<span class="quote">“<span class="quote">tcpwrappers,</span>”</span> or it may be done be using <span class="emphasis"><em>interface-based exclusion</em></span> so -<span class="application">smbd</span> will bind only to specifically permitted interfaces. It is also possible to set specific share- or -resource-based exclusions, for example, on the <em class="parameter"><code>[IPC$]</code></em> autoshare. The <em class="parameter"><code>[IPC$]</code></em> share is used for browsing purposes as well as to establish TCP/IP connections. -</p><p> -<a class="indexterm" name="id385455"></a> -<a class="indexterm" name="id385464"></a> -<a class="indexterm" name="id385471"></a> -Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access -Control List (ACL) on the shares themselves. This is discussed in -<a class="link" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">File, Directory, and Share Access Controls</a>. -</p></div><div class="sect1" title="Technical Discussion of Protective Measures and Issues"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385488"></a>Technical Discussion of Protective Measures and Issues</h2></div></div></div><p> -The key challenge of security is that protective measures suffice at best -only to close the door on known exploits and breach techniques. Never assume that -because you have followed these few measures, the Samba server is now an impenetrable -fortress! Given the history of information systems so far, it is only a matter of time -before someone will find yet another vulnerability. -</p><div class="sect2" title="Using Host-Based Protection"><div class="titlepage"><div><div><h3 class="title"><a name="id385501"></a>Using Host-Based Protection</h3></div></div></div><p> -<a class="indexterm" name="id385509"></a> -<a class="indexterm" name="id385515"></a> -<a class="indexterm" name="id385522"></a> - In many installations of Samba, the greatest threat comes from outside - your immediate network. By default, Samba accepts connections from - any host, which means that if you run an insecure version of Samba on - a host that is directly connected to the Internet, you can be - especially vulnerable. - </p><p> -<a class="indexterm" name="id385535"></a> -<a class="indexterm" name="id385542"></a> - One of the simplest fixes in this case is to use the <a class="link" href="smb.conf.5.html#HOSTSALLOW" target="_top">hosts allow</a> and - <a class="link" href="smb.conf.5.html#HOSTSDENY" target="_top">hosts deny</a> options in the Samba <code class="filename">smb.conf</code> configuration file to - allow access to your server only from a specific range of hosts. An example might be: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id385586"></a><em class="parameter"><code>hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24</code></em></td></tr><tr><td><a class="indexterm" name="id385597"></a><em class="parameter"><code>hosts deny = 0.0.0.0/0</code></em></td></tr></table><p> - </p><p> -<a class="indexterm" name="id385612"></a> -<a class="indexterm" name="id385619"></a> -<a class="indexterm" name="id385626"></a> - The above will allow SMB connections only from <code class="constant">localhost</code> (your own - computer) and from the two private networks 192.168.2 and 192.168.3. All other - connections will be refused as soon as the client sends its first packet. The refusal - will be marked as <code class="literal">not listening on called name</code> error. - </p></div><div class="sect2" title="User-Based Protection"><div class="titlepage"><div><div><h3 class="title"><a name="id385646"></a>User-Based Protection</h3></div></div></div><p> - If you want to restrict access to your server to valid users only, then the following - method may be of use. In the <code class="filename">smb.conf</code> <em class="parameter"><code>[global]</code></em> section put: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id385672"></a><em class="parameter"><code>valid users = @smbusers, jacko</code></em></td></tr></table><p> - </p><p> -<a class="indexterm" name="id385687"></a> - This restricts all server access either to the user <span class="emphasis"><em>jacko</em></span> - or to members of the system group <span class="emphasis"><em>smbusers</em></span>. - </p></div><div class="sect2" title="Using Interface Protection"><div class="titlepage"><div><div><h3 class="title"><a name="id385704"></a>Using Interface Protection</h3></div></div></div><p> -<a class="indexterm" name="id385712"></a> -<a class="indexterm" name="id385719"></a> -<a class="indexterm" name="id385725"></a> - By default, Samba accepts connections on any network interface that - it finds on your system. That means if you have an ISDN line or a PPP - connection to the Internet then Samba will accept connections on those - links. This may not be what you want. - </p><p> - You can change this behavior using options like this: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id385744"></a><em class="parameter"><code>interfaces = eth* lo</code></em></td></tr><tr><td><a class="indexterm" name="id385755"></a><em class="parameter"><code>bind interfaces only = yes</code></em></td></tr></table><p> - </p><p> -<a class="indexterm" name="id385770"></a> -<a class="indexterm" name="id385777"></a> -<a class="indexterm" name="id385784"></a> -<a class="indexterm" name="id385790"></a> - This tells Samba to listen for connections only on interfaces with a name starting with - <code class="constant">eth</code> such as <code class="constant">eth0</code> or <code class="constant">eth1</code>, plus on the loopback interface called - <code class="constant">lo</code>. The name you will need to use depends on what OS you are using. In the above, I used - the common name for Ethernet adapters on Linux. - </p><p> -<a class="indexterm" name="id385818"></a> -<a class="indexterm" name="id385824"></a> -<a class="indexterm" name="id385831"></a> -<a class="indexterm" name="id385837"></a> - If you use the above and someone tries to make an SMB connection to your host over a PPP interface called - <code class="constant">ppp0</code>, then [s]he will get a TCP connection refused reply. In that case, no Samba code - is run at all, because the operating system has been told not to pass connections from that interface to any - Samba process. However, the refusal helps a would-be cracker by confirming that the IP address provides - valid active services. - </p><p> -<a class="indexterm" name="id385855"></a> -<a class="indexterm" name="id385862"></a> -<a class="indexterm" name="id385868"></a> -<a class="indexterm" name="id385875"></a> -<a class="indexterm" name="id385882"></a> - A better response would be to ignore the connection (from, for example, ppp0) altogether. The - advantage of ignoring the connection attempt, as compared with refusing it, is that it foils those who - probe an interface with the sole intention of finding valid IP addresses for later use in exploitation - or denial of service attacks. This method of dealing with potential malicious activity demands the - use of appropriate firewall mechanisms. - </p></div><div class="sect2" title="Using a Firewall"><div class="titlepage"><div><div><h3 class="title"><a name="firewallports"></a>Using a Firewall</h3></div></div></div><p> -<a class="indexterm" name="id385906"></a> -<a class="indexterm" name="id385913"></a> -<a class="indexterm" name="id385920"></a> - Many people use a firewall to deny access to services they do not want exposed outside their network. This can - be a good idea, although I recommend using it in conjunction with the above methods so you are protected even - if your firewall is not active for some reason. - </p><p> - If you are setting up a firewall, you need to know what TCP and UDP ports to allow and block. Samba uses - the following: -<a class="indexterm" name="id385934"></a> -<a class="indexterm" name="id385940"></a> -<a class="indexterm" name="id385947"></a> -<a class="indexterm" name="id385954"></a> -<a class="indexterm" name="id385961"></a> - </p><table border="0" summary="Simple list" class="simplelist"><tr><td>Port 135/TCP - used by smbd</td></tr><tr><td>Port 137/UDP - used by nmbd</td></tr><tr><td>Port 138/UDP - used by nmbd</td></tr><tr><td>Port 139/TCP - used by smbd</td></tr><tr><td>Port 445/TCP - used by smbd</td></tr></table><p> -<a class="indexterm" name="id385994"></a> - The last one is important because many older firewall setups may not be aware of it, given that this port - was only added to the protocol in recent years. - </p><p> -<a class="indexterm" name="id386006"></a> -<a class="indexterm" name="id386013"></a> -<a class="indexterm" name="id386019"></a> - When configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and - therefore should be permitted through the firewall. It is prudent to block incoming packets on the high order - ports except for established connections. - </p></div><div class="sect2" title="Using IPC$ Share-Based Denials"><div class="titlepage"><div><div><h3 class="title"><a name="id386031"></a>Using IPC$ Share-Based Denials </h3></div></div></div><p> -<a class="indexterm" name="id386039"></a> -<a class="indexterm" name="id386045"></a> -<a class="indexterm" name="id386052"></a> - If the above methods are not suitable, then you could also place a more specific deny on the IPC$ share that - is used in the recently discovered security hole. This allows you to offer access to other shares while - denying access to IPC$ from potentially untrustworthy hosts. - </p><p> - To do this you could use: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id386079"></a><em class="parameter"><code>hosts allow = 192.168.115.0/24 127.0.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id386091"></a><em class="parameter"><code>hosts deny = 0.0.0.0/0</code></em></td></tr></table><p> - </p><p> -<a class="indexterm" name="id386106"></a> -<a class="indexterm" name="id386113"></a> -<a class="indexterm" name="id386120"></a> - This instructs Samba that IPC$ connections are not allowed from anywhere except the two listed network - addresses (localhost and the 192.168.115 subnet). Connections to other shares are still allowed. Because the - IPC$ share is the only share that is always accessible anonymously, this provides some level of protection - against attackers who do not know a valid username/password for your host. - </p><p> -<a class="indexterm" name="id386133"></a> -<a class="indexterm" name="id386140"></a> -<a class="indexterm" name="id386147"></a> - If you use this method, then clients will be given an <code class="literal">`access denied'</code> reply when they try - to access the IPC$ share. Those clients will not be able to browse shares and may also be unable to access - some other resources. This is not recommended unless for some reason you cannot use one of the other methods - just discussed. - </p></div><div class="sect2" title="NTLMv2 Security"><div class="titlepage"><div><div><h3 class="title"><a name="id386164"></a>NTLMv2 Security</h3></div></div></div><p> -<a class="indexterm" name="id386172"></a> - To configure NTLMv2 authentication, the following registry keys are worth knowing about: - </p><p> - </p><pre class="screen"> - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] - "lmcompatibilitylevel"=dword:00000003 - </pre><p> - </p><p> - The value 0x00000003 means to send NTLMv2 response only. Clients will use NTLMv2 authentication; - use NTLMv2 session security if the server supports it. Domain controllers accept LM, - NTLM, and NTLMv2 authentication. - </p><p> - </p><pre class="screen"> - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] - "NtlmMinClientSec"=dword:00080000 - </pre><p> - </p><p> - The value 0x00080000 means permit only NTLMv2 session security. If either NtlmMinClientSec or - NtlmMinServerSec is set to 0x00080000, the connection will fail if NTLMv2 - session security is negotiated. - </p></div></div><div class="sect1" title="Upgrading Samba"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386212"></a>Upgrading Samba</h2></div></div></div><p> -<a class="indexterm" name="id386220"></a> -<a class="indexterm" name="id386227"></a> -<a class="indexterm" name="id386234"></a> -Please check regularly on <a class="ulink" href="http://www.samba.org/" target="_top">http://www.samba.org/</a> for -updates and important announcements. Occasionally security releases are made, and it is highly recommended to -upgrade Samba promptly when a security vulnerability is discovered. Check with your OS vendor for OS-specific -upgrades. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386253"></a>Common Errors</h2></div></div></div><p> -If all Samba and host platform configurations were really as intuitive as one might like them to be, this -chapter would not be necessary. Security issues are often vexing for a support person to resolve, not because -of the complexity of the problem, but because most administrators who post what turns out to be a security -problem request are totally convinced that the problem is with Samba. -</p><div class="sect2" title="Smbclient Works on Localhost, but the Network Is Dead"><div class="titlepage"><div><div><h3 class="title"><a name="id386268"></a>Smbclient Works on Localhost, but the Network Is Dead</h3></div></div></div><p> - This is a common problem. Linux vendors tend to install a default firewall. - With the default firewall in place, only traffic on the loopback adapter (IP address 127.0.0.1) - is allowed through the firewall. - </p><p> - The solution is either to remove the firewall (stop it) or modify the firewall script to - allow SMB networking traffic through. See <a class="link" href="securing-samba.html#firewallports" title="Using a Firewall">the Using a - Firewall</a> section. - </p></div><div class="sect2" title="Why Can Users Access Other Users' Home Directories?"><div class="titlepage"><div><div><h3 class="title"><a name="id386293"></a>Why Can Users Access Other Users' Home Directories?</h3></div></div></div><p> - <span class="quote">“<span class="quote"> -<a class="indexterm" name="id386303"></a> -<a class="indexterm" name="id386310"></a> - We are unable to keep individual users from mapping to any other user's home directory once they have - supplied a valid password! They only need to enter their own password. I have not found any method to - configure Samba so that users may map only their own home directory. - </span>”</span> - </p><p><span class="quote">“<span class="quote"> - User xyzzy can map his home directory. Once mapped, user xyzzy can also map anyone else's home directory. - </span>”</span></p><p> -<a class="indexterm" name="id386329"></a> -<a class="indexterm" name="id386335"></a> - This is not a security flaw, it is by design. Samba allows users to have exactly the same access to the UNIX - file system as when they were logged on to the UNIX box, except that it only allows such views onto the file - system as are allowed by the defined shares. - </p><p> -<a class="indexterm" name="id386348"></a> -<a class="indexterm" name="id386355"></a> - If your UNIX home directories are set up so that one user can happily <code class="literal">cd</code> - into another user's directory and execute <code class="literal">ls</code>, the UNIX security solution is to change file - permissions on the user's home directories so that the <code class="literal">cd</code> and <code class="literal">ls</code> are denied. - </p><p> -<a class="indexterm" name="id386389"></a> -<a class="indexterm" name="id386396"></a> - Samba tries very hard not to second guess the UNIX administrator's security policies and - trusts the UNIX admin to set the policies and permissions he or she desires. - </p><p> - Samba allows the behavior you require. Simply put the <a class="link" href="smb.conf.5.html#ONLYUSER" target="_top">only user = %S</a> - option in the <em class="parameter"><code>[homes]</code></em> share definition. - </p><p> - The <a class="link" href="smb.conf.5.html#ONLYUSER" target="_top">only user</a> works in conjunction with the <a class="link" href="smb.conf.5.html#USERS" target="_top">users = list</a>, - so to get the behavior you require, add the line: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id386457"></a><em class="parameter"><code>users = %S</code></em></td></tr></table><p> - This is equivalent to adding - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id386475"></a><em class="parameter"><code>valid users = %S</code></em></td></tr></table><p> - to the definition of the <em class="parameter"><code>[homes]</code></em> share, as recommended in - the <code class="filename">smb.conf</code> man page. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 17. File and Record Locking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 19. Interdomain Trust Relationships</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/speed.html b/docs/htmldocs/Samba3-HOWTO/speed.html deleted file mode 100644 index 9abb652d7b..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/speed.html +++ /dev/null @@ -1,174 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 45. Samba Performance Tuning</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="Other-Clients.html" title="Chapter 44. Samba and Other CIFS Clients"><link rel="next" href="ch-ldap-tls.html" title="Chapter 46. LDAP and Transport Layer Security"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 45. Samba Performance Tuning</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="ch-ldap-tls.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 45. Samba Performance Tuning"><div class="titlepage"><div><div><h2 class="title"><a name="speed"></a>Chapter 45. Samba Performance Tuning</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Paul</span> <span class="surname">Cochrane</span></h3><div class="affiliation"><span class="orgname">Dundee Limb Fitting Centre<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:paulc@dth.scot.nhs.uk">paulc@dth.scot.nhs.uk</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="speed.html#id452214">Comparisons</a></span></dt><dt><span class="sect1"><a href="speed.html#id452243">Socket Options</a></span></dt><dt><span class="sect1"><a href="speed.html#id452328">Read Size</a></span></dt><dt><span class="sect1"><a href="speed.html#id452364">Max Xmit</a></span></dt><dt><span class="sect1"><a href="speed.html#id452406">Log Level</a></span></dt><dt><span class="sect1"><a href="speed.html#id452428">Read Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id452488">Write Raw</a></span></dt><dt><span class="sect1"><a href="speed.html#id452536">Slow Logins</a></span></dt><dt><span class="sect1"><a href="speed.html#id452558">Client Tuning</a></span></dt><dt><span class="sect1"><a href="speed.html#id452577">Samba Performance Problem Due to Changing Linux Kernel</a></span></dt><dt><span class="sect1"><a href="speed.html#id452660">Corrupt tdb Files</a></span></dt><dt><span class="sect1"><a href="speed.html#id452749">Samba Performance is Very Slow</a></span></dt></dl></div><div class="sect1" title="Comparisons"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452214"></a>Comparisons</h2></div></div></div><p> -The Samba server uses TCP to talk to the client, so if you are -trying to see if it performs well, you should really compare it to -programs that use the same protocol. The most readily available -programs for file transfer that use TCP are ftp or another TCP-based -SMB server. -</p><p> -If you want to test against something like an NT or Windows for Workgroups server, then -you will have to disable all but TCP on either the client or -server. Otherwise, you may well be using a totally different protocol -(such as NetBEUI) and comparisons may not be valid. -</p><p> -Generally, you should find that Samba performs similarly to ftp at raw -transfer speed. It should perform quite a bit faster than NFS, -although this depends on your system. -</p><p> -Several people have done comparisons between Samba and Novell, NFS, or -Windows NT. In some cases Samba performed the best, in others the worst. I -suspect the biggest factor is not Samba versus some other system, but the -hardware and drivers used on the various systems. Given similar -hardware, Samba should certainly be competitive in speed with other -systems. -</p></div><div class="sect1" title="Socket Options"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452243"></a>Socket Options</h2></div></div></div><p> -There are a number of socket options that can greatly affect the -performance of a TCP-based server like Samba. -</p><p> -The socket options that Samba uses are settable both on the command -line with the <code class="option">-O</code> option and in the <code class="filename">smb.conf</code> file. -</p><p> -The <a class="link" href="smb.conf.5.html#SOCKETOPTIONS" target="_top">socket options</a> section of the <code class="filename">smb.conf</code> manual page describes how -to set these and gives recommendations. -</p><p> -Getting the socket options correct can make a big difference to your -performance, but getting them wrong can degrade it by just as -much. The correct settings are very dependent on your local network. -</p><p> -The socket option TCP_NODELAY is the one that seems to make the biggest single difference -for most networks. Many people report that adding -<a class="link" href="smb.conf.5.html#SOCKETOPTIONS" target="_top">socket options = TCP_NODELAY</a> -doubles the read performance of a Samba drive. The best explanation I have seen for -this is that the Microsoft TCP/IP stack is slow in sending TCP ACKs. -</p><p> -There have been reports that setting <em class="parameter"><code>socket options = SO_RCVBUF=8192</code></em> in smb.conf -can seriously degrade Samba performance on the loopback adaptor (IP Address 127.0.0.1). It is strongly -recommended that before specifying any settings for <em class="parameter"><code>socket options</code></em>, the effect -first be quantitatively measured on the server being configured. -</p></div><div class="sect1" title="Read Size"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452328"></a>Read Size</h2></div></div></div><p> -The option <a class="link" href="smb.conf.5.html#READSIZE" target="_top">read size</a> affects the overlap of disk -reads/writes with network reads/writes. If the amount of data being -transferred in several of the SMB commands (currently SMBwrite, SMBwriteX, and -SMBreadbraw) is larger than this value, then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk. -</p><p> -This overlapping works best when the speeds of disk and network access -are similar, having little effect when the speed of one is much -greater than the other. -</p><p> -The default value is 16384, but little experimentation has been -done as yet to determine the optimal value, and it is likely that the best -value will vary greatly between systems anyway. A value over 65536 is -pointless and will cause you to allocate memory unnecessarily. -</p></div><div class="sect1" title="Max Xmit"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452364"></a>Max Xmit</h2></div></div></div><p> - At startup the client and server negotiate a <em class="parameter"><code>maximum transmit</code></em> size, -which limits the size of nearly all SMB commands. You can set the -maximum size that Samba will negotiate using the <a class="link" href="smb.conf.5.html#MAXXMIT" target="_top">max xmit</a> option -in <code class="filename">smb.conf</code>. Note that this is the maximum size of SMB requests that -Samba will accept, but not the maximum size that the client will accept. -The client maximum receive size is sent to Samba by the client, and Samba -honors this limit. -</p><p> -It defaults to 65536 bytes (the maximum), but it is possible that some -clients may perform better with a smaller transmit unit. Trying values -of less than 2048 is likely to cause severe problems. -In most cases the default is the best option. -</p></div><div class="sect1" title="Log Level"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452406"></a>Log Level</h2></div></div></div><p> -If you set the log level (also known as <a class="link" href="smb.conf.5.html#DEBUGLEVEL" target="_top">debug level</a>) higher than 2, -then you may suffer a large drop in performance. This is because the -server flushes the log file after each operation, which can be quite -expensive. -</p></div><div class="sect1" title="Read Raw"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452428"></a>Read Raw</h2></div></div></div><p> -The <a class="link" href="smb.conf.5.html#READRAW" target="_top">read raw</a> operation is designed to be an optimized, low-latency -file read operation. A server may choose to not support it, -however, and Samba makes support for <a class="link" href="smb.conf.5.html#READRAW" target="_top">read raw</a> optional, with it -being enabled by default. -</p><p> -In some cases clients do not handle <a class="link" href="smb.conf.5.html#READRAW" target="_top">read raw</a> very well and actually -get lower performance using it than they get using the conventional -read operations, so you might like to try <a class="link" href="smb.conf.5.html#READRAW" target="_top">read raw = no</a> and see what happens on your -network. It might lower, raise, or not affect your performance. Only -testing can really tell. -</p></div><div class="sect1" title="Write Raw"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452488"></a>Write Raw</h2></div></div></div><p> -The <a class="link" href="smb.conf.5.html#WRITERAW" target="_top">write raw</a> operation is designed to be an optimized, low-latency -file write operation. A server may choose to not support it, however, and Samba makes support for -<a class="link" href="smb.conf.5.html#WRITERAW" target="_top">write raw</a> optional, with it being enabled by default. -</p><p> -Some machines may find <a class="link" href="smb.conf.5.html#WRITERAW" target="_top">write raw</a> slower than normal write, in which -case you may wish to change this option. -</p></div><div class="sect1" title="Slow Logins"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452536"></a>Slow Logins</h2></div></div></div><p> -Slow logins are almost always due to the password checking time. Using -the lowest practical <a class="link" href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> will improve things. -</p></div><div class="sect1" title="Client Tuning"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452558"></a>Client Tuning</h2></div></div></div><p> -Often a speed problem can be traced to the client. The client (for -example Windows for Workgroups) can often be tuned for better TCP -performance. Check the sections on the various clients in -<a class="link" href="Other-Clients.html" title="Chapter 44. Samba and Other CIFS Clients">Samba and Other CIFS Clients</a>. -</p></div><div class="sect1" title="Samba Performance Problem Due to Changing Linux Kernel"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452577"></a>Samba Performance Problem Due to Changing Linux Kernel</h2></div></div></div><p> -A user wrote the following to the mailing list: -</p><div class="blockquote"><blockquote class="blockquote"><p> -<a class="indexterm" name="id452591"></a> -<a class="indexterm" name="id452597"></a> -I am running Gentoo on my server and Samba 2.2.8a. Recently I changed kernel versions from -<code class="filename">linux-2.4.19-gentoo-r10</code> to <code class="filename">linux-2.4.20-wolk4.0s</code>. Now I have a -performance issue with Samba. Many of you will probably say, <span class="quote">“<span class="quote">Move to vanilla sources!</span>”</span> Well, I -tried that and it didn't work. I have a 100MB LAN and two computers (Linux and Windows 2000). The Linux server -shares directories with DivX files, the client (Windows 2000) plays them via LAN. Before, when I was running -the 2.4.19 kernel, everything was fine, but now movies freeze and stop. I tried moving files between the -server and Windows, and it is terribly slow. -</p></blockquote></div><p> -The answer he was given is: -</p><div class="blockquote"><blockquote class="blockquote"><p> -<a class="indexterm" name="id452634"></a> -<a class="indexterm" name="id452641"></a> -<a class="indexterm" name="id452647"></a> -Grab the mii-tool and check the duplex settings on the NIC. My guess is that it is a link layer issue, not an -application layer problem. Also run ifconfig and verify that the framing error, collisions, and so on, look -normal for ethernet. -</p></blockquote></div></div><div class="sect1" title="Corrupt tdb Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452660"></a>Corrupt tdb Files</h2></div></div></div><p> -<a class="indexterm" name="id452667"></a> -<a class="indexterm" name="id452674"></a> -<a class="indexterm" name="id452681"></a> -Our Samba PDC server has been hosting three TB of data to our 500+ users [Windows NT/XP] for the last three -years using Samba without a problem. Today all shares went very slow. Also, the main smbd kept spawning new -processes, so we had 1600+ running SMDB's (normally we average 250). It crashed the SUN E3500 cluster twice. -After a lot of searching, I decided to <code class="literal">rm /var/locks/*.tdb</code>. Happy again. -</p><p> -<span class="emphasis"><em>Question:</em></span> Is there any method of keeping the *.tdb files in top condition, or -how can I detect early corruption? -</p><p> -<a class="indexterm" name="id452708"></a> -<a class="indexterm" name="id452714"></a> -<span class="emphasis"><em>Answer:</em></span> Yes, run <code class="literal">tdbbackup</code> each time after stopping nmbd and before starting nmbd. -</p><p> -<span class="emphasis"><em>Question:</em></span> What I also would like to mention is that the service latency seems -a lot lower than before the locks cleanup. Any ideas on keeping it top notch? -</p><p> -<span class="emphasis"><em>Answer:</em></span> Yes. Same answer as for previous question! -</p></div><div class="sect1" title="Samba Performance is Very Slow"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id452749"></a>Samba Performance is Very Slow</h2></div></div></div><p> -<a class="indexterm" name="id452756"></a> -A site reported experiencing very baffling symptoms with MYOB Premier opening and -accessing its data files. Some operations on the file would take between 40 and -45 seconds. -</p><p> -<a class="indexterm" name="id452768"></a> -<a class="indexterm" name="id452775"></a> -It turned out that the printer monitor program running on the Windows -clients was causing the problems. From the logs, we saw activity coming -through with pauses of about 1 second. -</p><p> -<a class="indexterm" name="id452786"></a> -<a class="indexterm" name="id452793"></a> -Stopping the monitor software resulted in the networks access at normal -(quick) speed. Restarting the program caused the speed to slow down -again. The printer was a Canon LBP-810 and the relevant task was -something like CAPON (not sure on spelling). The monitor software -displayed a "printing now" dialog on the client during printing. -</p><p> -We discovered this by starting with a clean install of Windows and -trying the application at every step of the installation of other software -process (we had to do this many times). -</p><p> -Moral of the story: Check everything (other software included)! -</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch-ldap-tls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 44. Samba and Other CIFS Clients </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 46. LDAP and Transport Layer Security</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/tdb.html b/docs/htmldocs/Samba3-HOWTO/tdb.html deleted file mode 100644 index e61f0a84b2..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/tdb.html +++ /dev/null @@ -1,56 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Managing TDB Files</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="prev" href="bugreport.html" title="Chapter 40. Reporting Bugs"><link rel="next" href="Appendix.html" title="Part VI. Reference Section"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Managing TDB Files</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="Appendix.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 41. Managing TDB Files"><div class="titlepage"><div><div><h2 class="title"><a name="tdb"></a>Chapter 41. Managing TDB Files</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 28, 2008</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="tdb.html#id448693">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="tdb.html#id449130">Managing TDB Files</a></span></dt></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id448693"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id448701"></a> -<a class="indexterm" name="id448708"></a> - Samba uses a lightweight database called Trivial Database (tdb) in which it stores persistent and transient data. - Some tdb files can be disposed of before restarting Samba, but others are used to store information that is vital - to Samba configuration and behavior. The following information is provided to help administrators who are seeking - to better manage their Samba installations. - </p><p> -<a class="indexterm" name="id448721"></a> -<a class="indexterm" name="id448728"></a> -<a class="indexterm" name="id448734"></a> -<a class="indexterm" name="id448741"></a> - Those who package Samba for commercial distribution with operating systems and appliances would do well to take - note that tdb files can get corrupted, and for this reason ought to be backed up regularly. An appropriate time - is at system shutdown (backup) and startup (restore from backup). - </p><div class="table"><a name="TOSH-TDB"></a><p class="title"><b>Table 41.1. Samba's Trivial Database Files</b></p><div class="table-contents"><table summary="Samba's Trivial Database Files" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">File name</th><th align="center">Preserve</th><th align="center">Description</th></tr></thead><tbody><tr><td align="center">account_policy.tdb</td><td align="center">Y</td><td align="center"><p>NT account policy settings such as pw expiration, etc...</p></td></tr><tr><td align="center">brlock.tdb</td><td align="center">N</td><td align="center"><p>Byte range locks.</p></td></tr><tr><td align="center">browse.dat</td><td align="center">N</td><td align="center"><p>Browse lists - gets rebuilt automatically.</p></td></tr><tr><td align="center">connections.tdb</td><td align="center">N</td><td align="center"><p>Share connections. Used to enforce max connections, etc.</p></td></tr><tr><td align="center">gencache.tdb</td><td align="center">N</td><td align="center"><p>Generic caching database.</p></td></tr><tr><td align="center">group_mapping.tdb</td><td align="center">Y</td><td align="center"><p>Stores group mapping information. Not used when using LDAP backend.</p></td></tr><tr><td align="center"> lang_en.tdb</td><td align="center">Y</td><td align="center"><p>Stores language encoding information.</p></td></tr><tr><td align="center">locking.tdb</td><td align="center">N</td><td align="center"><p>Stores share mode and oplock information.</p></td></tr><tr><td align="center">login_cache.tdb</td><td align="center">N</td><td align="center"><p>Keeps a log of bad pw attempts.</p></td></tr><tr><td align="center">messages.tdb</td><td align="center">N</td><td align="center"><p>Used to keep track of Samba internal messaging.</p></td></tr><tr><td align="center">netsamlogon_cache.tdb</td><td align="center">Y</td><td align="center"><p> - Cache of user net_info_3 struct from <span class="emphasis"><em>net_samlogon()</em></span> - requests from domain member machines. - </p></td></tr><tr><td align="center">ntdrivers.tdb</td><td align="center">Y</td><td align="center"><p>Stores installed printer driver information.</p></td></tr><tr><td align="center">ntforms.tdb</td><td align="center">Y</td><td align="center"><p>Stores installed printer forms information.</p></td></tr><tr><td align="center">ntprinters.tdb</td><td align="center">Y</td><td align="center"><p>Stores installed printers information.</p></td></tr><tr><td align="center">printing directory</td><td align="center">Y</td><td align="center"><p>Directory containing tdb per print queue of cached lpq output.</p></td></tr><tr><td align="center">registry.tdb</td><td align="center">Y</td><td align="center"><p>Windows registry skeleton (connect via regedit.exe).</p></td></tr><tr><td align="center">sessionid.tdb</td><td align="center">N</td><td align="center"><p>Session information to support <code class="literal">utmp = yes</code> capabilities.</p></td></tr><tr><td align="center">share_info.tdb</td><td align="center">Y</td><td align="center"><p>Stores share-level ACL configuration settings. - Default ACL is <span class="emphasis"><em>Everyone - Full Control</em></span>. - </p></td></tr><tr><td align="center">unexpected.tdb</td><td align="center">N</td><td align="center"><p> - Unexpected packet queue needed to support windows clients that respond on a - different port that the originating reques. - </p></td></tr><tr><td align="center">winbindd_cache.tdb</td><td align="center">N</td><td align="center"><p>Winbind's cache of user lists.</p></td></tr><tr><td align="center">winbindd_idmap.tdb</td><td align="center">Y</td><td align="center"><p>Winbind's local IDMAP database.</p></td></tr><tr><td align="center">wins.dat</td><td align="center">N</td><td align="center"><p> - WINS database iused only when <em class="parameter"><code>wins support = yes</code></em> - has been set. This gets rebuilt or updated at every restart. - </p></td></tr><tr><td align="center">wins.tdb</td><td align="center">Y</td><td align="center"><p> - The working permanent storage for all WINS data. This database is used only - when <em class="parameter"><code>wins support = yes</code></em> has been set in the <code class="filename">smb.conf</code> file. - Note: This retains all manually configured WINS entries. Manual setting can be done use the net utility. - </p></td></tr><tr><td align="center">secrets.tdb</td><td align="center">Y</td><td align="center"><p> - This tdb file stores internal settings such as the machine and the domain SID, secret passwords - that are used with LDAP, the machine secret token, etc. This is an essential file that is stored - in a secure area. Vendors locate this in various folders. Check <code class="literal">smbd -b</code> to - find its location on your system. - </p></td></tr><tr><td align="center">schannel_store.tdb</td><td align="center">Y</td><td align="center"><p> - This stores secure channel access token information used with SMB signing. - </p></td></tr><tr><td align="center">passdb.tdb</td><td align="center">Y</td><td align="center"><p> - This stores the Samba SAM account information when using a tdbsam password backend. - </p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect1" title="Managing TDB Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id449130"></a>Managing TDB Files</h2></div></div></div><p> - The <code class="literal">tdbbackup</code> utility is a tool that may be used to backup samba tdb files. - This tool may also be used to verify the integrity of the tdb files prior to Samba startup or - during normal operation. If it finds file damage it will search for a prior backup the backup - file from which the damaged tdb file will be restored. The <code class="literal">tdbbackup</code> - utility can safely be run at any time. It was designed so that it can be used at any time to - validate the integrity of tdb files, even during Samba operation. - </p><p> - It is recommended to backup all tdb files as part of the Samba start-up scripts on a Samba - server. The following command syntax can be used: - </p><pre class="screen"> -myserver# > cd /var/lib/samba -myserver@ > tdbbackup *.tdb -</pre><p> - The default extension is <code class="filename">.bak</code>. Any alternate extension can be specified - by executing <code class="literal">tdbbackup -s 'new_extension' *.tdb</code> as part of your startup script. - </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Appendix.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part VI. Reference Section</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/troubleshooting.html b/docs/htmldocs/Samba3-HOWTO/troubleshooting.html deleted file mode 100644 index 845af19f54..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/troubleshooting.html +++ /dev/null @@ -1 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="SWAT.html" title="Chapter 37. SWAT: The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 38. The Samba Checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" title="Part V. Troubleshooting"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Part V. Troubleshooting</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="diagnosis.html">38. The Samba Checklist</a></span></dt><dd><dl><dt><span class="sect1"><a href="diagnosis.html#id444817">Introduction</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id444853">Assumptions</a></span></dt><dt><span class="sect1"><a href="diagnosis.html#id445131">The Tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="problems.html">39. Analyzing and Solving Samba Problems</a></span></dt><dd><dl><dt><span class="sect1"><a href="problems.html#id446780">Diagnostics Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="problems.html#id446829">Debugging with Samba Itself</a></span></dt><dt><span class="sect2"><a href="problems.html#id447073">Tcpdump</a></span></dt><dt><span class="sect2"><a href="problems.html#id447122">Ethereal</a></span></dt><dt><span class="sect2"><a href="problems.html#id447261">The Windows Network Monitor</a></span></dt></dl></dd><dt><span class="sect1"><a href="problems.html#id447567">Useful URLs</a></span></dt><dt><span class="sect1"><a href="problems.html#id447602">Getting Mailing List Help</a></span></dt><dt><span class="sect1"><a href="problems.html#id447756">How to Get Off the Mailing Lists</a></span></dt></dl></dd><dt><span class="chapter"><a href="bugreport.html">40. Reporting Bugs</a></span></dt><dd><dl><dt><span class="sect1"><a href="bugreport.html#id447883">Introduction</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id447963">General Information</a></span></dt><dt><span class="sect1"><a href="bugreport.html#dbglvl">Debug Levels</a></span></dt><dd><dl><dt><span class="sect2"><a href="bugreport.html#id448181">Debugging-Specific Operations</a></span></dt></dl></dd><dt><span class="sect1"><a href="bugreport.html#id448377">Internal Errors</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id448498">Attaching to a Running Process</a></span></dt><dt><span class="sect1"><a href="bugreport.html#id448614">Patches</a></span></dt></dl></dd><dt><span class="chapter"><a href="tdb.html">41. Managing TDB Files</a></span></dt><dd><dl><dt><span class="sect1"><a href="tdb.html#id448693">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="tdb.html#id449130">Managing TDB Files</a></span></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. SWAT: The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. The Samba Checklist</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/type.html b/docs/htmldocs/Samba3-HOWTO/type.html deleted file mode 100644 index edd02d8be8..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/type.html +++ /dev/null @@ -1,5 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Server Configuration Basics</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="prev" href="FastStart.html" title="Chapter 2. Fast Start: Cure for Impatience"><link rel="next" href="ServerType.html" title="Chapter 3. Server Types and Security Modes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Server Configuration Basics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr></table><hr></div><div class="part" title="Part II. Server Configuration Basics"><div class="titlepage"><div><div><h1 class="title"><a name="type"></a>Part II. Server Configuration Basics</h1></div></div></div><div class="partintro" title="First Steps in Server Configuration"><div><div><div><h1 class="title"><a name="id330554"></a>First Steps in Server Configuration</h1></div></div></div><p> -Samba can operate in various modes within SMB networks. This HOWTO section contains information on -configuring Samba to function as the type of server your network requires. Please read this -section carefully. -</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="ServerType.html">3. Server Types and Security Modes</a></span></dt><dd><dl><dt><span class="sect1"><a href="ServerType.html#id330679">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id330822">Server Types</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id330959">Samba Security Modes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id331101">User Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331249">Share-Level Security</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331413">Domain Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331866">ADS Security Mode (User-Level Security)</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id331998">Server Security (User Level Security)</a></span></dt></dl></dd><dt><span class="sect1"><a href="ServerType.html#id332239">Password Checking</a></span></dt><dt><span class="sect1"><a href="ServerType.html#id332395">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="ServerType.html#id332416">What Makes Samba a Server?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332443">What Makes Samba a Domain Controller?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332478">What Makes Samba a Domain Member?</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332502">Constantly Losing Connections to Password Server</a></span></dt><dt><span class="sect2"><a href="ServerType.html#id332541">Stand-alone Server is converted to Domain Controller Now User accounts don't work</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-pdc.html">4. Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-pdc.html#id332816">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id333361">Single Sign-On and Domain Security</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id333870">Basics of Domain Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id333888">Domain Controller Types</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id334343">Preparing for Domain Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id334811">Domain Control: Example Configuration</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335523">Samba ADS Domain Control</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id335566">Domain and Network Logon Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id335583">Domain Network Logon Service</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336119">Security Mode and Master Browsers</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id336354">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id336359"><span class="quote">“<span class="quote">$</span>”</span> Cannot Be Included in Machine Name</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336454">Joining Domain Fails Because of Existing Machine Account</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336513">The System Cannot Log You On (C000019B)</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336578">The Machine Trust Account Is Not Accessible</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336685">Account Disabled</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336710">Domain Controller Unavailable</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id336727">Cannot Log onto Domain Member Workstation After Joining Domain</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="samba-bdc.html">5. Backup Domain Control</a></span></dt><dd><dl><dt><span class="sect1"><a href="samba-bdc.html#id336899">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-bdc.html#id337275">Essential Background Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id337339">MS Windows NT4-style Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id337967">LDAP Configuration Notes</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338300">Active Directory Domain Control</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338354">What Qualifies a Domain Controller on the Network?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id338437">How Does a Workstation find its Domain Controller?</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id338595">Backup Domain Controller Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339066">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-bdc.html#id339500">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-bdc.html#id339540">Machine Accounts Keep Expiring</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339588">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339639">How Do I Replicate the smbpasswd File?</a></span></dt><dt><span class="sect2"><a href="samba-bdc.html#id339736">Can I Do This All with LDAP?</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="domain-member.html">6. Domain Membership</a></span></dt><dd><dl><dt><span class="sect1"><a href="domain-member.html#id339970">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341389">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342539">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id342799">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342981">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344013">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id344280">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344384">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="StandAloneServer.html">7. Standalone Servers</a></span></dt><dd><dl><dt><span class="sect1"><a href="StandAloneServer.html#id344722">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id344808">Background</a></span></dt><dt><span class="sect1"><a href="StandAloneServer.html#id344984">Example Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></span></dt><dt><span class="sect2"><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></span></dt></dl></dd><dt><span class="sect1"><a href="StandAloneServer.html#id345921">Common Errors</a></span></dt></dl></dd><dt><span class="chapter"><a href="ClientConfig.html">8. MS Windows Network Configuration Guide</a></span></dt><dd><dl><dt><span class="sect1"><a href="ClientConfig.html#id345986">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="ClientConfig.html#id346039">Technical Details</a></span></dt><dd><dl><dt><span class="sect2"><a href="ClientConfig.html#id346080">TCP/IP Configuration</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id347777">Joining a Domain: Windows 2000/XP Professional</a></span></dt><dt><span class="sect2"><a href="ClientConfig.html#id348286">Domain Logon Configuration: Windows 9x/Me</a></span></dt></dl></dd><dt><span class="sect1"><a href="ClientConfig.html#id348714">Common Errors</a></span></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Fast Start: Cure for Impatience </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Server Types and Security Modes</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/unicode.html b/docs/htmldocs/Samba3-HOWTO/unicode.html deleted file mode 100644 index d7d83ad61a..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/unicode.html +++ /dev/null @@ -1,317 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Unicode/Charsets</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="integrate-ms-networks.html" title="Chapter 29. Integrating MS Windows Networks with Samba"><link rel="next" href="Backup.html" title="Chapter 31. Backup Techniques"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Unicode/Charsets</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 30. Unicode/Charsets"><div class="titlepage"><div><div><h2 class="title"><a name="unicode"></a>Chapter 30. Unicode/Charsets</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">TAKAHASHI</span> <span class="surname">Motonobu</span></h3><span class="contrib">Japanese character support</span> <div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:monyo@home.monyo.com">monyo@home.monyo.com</a>></code></p></div></div></div></div><div><p class="pubdate">25 March 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unicode.html#id432528">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432573">What Are Charsets and Unicode?</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432692">Samba and Charsets</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432818">Conversion from Old Names</a></span></dt><dt><span class="sect1"><a href="unicode.html#id432847">Japanese Charsets</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id432968">Basic Parameter Setting</a></span></dt><dt><span class="sect2"><a href="unicode.html#id433545">Individual Implementations</a></span></dt><dt><span class="sect2"><a href="unicode.html#id433658">Migration from Samba-2.2 Series</a></span></dt></dl></dd><dt><span class="sect1"><a href="unicode.html#id433797">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="unicode.html#id433803">CP850.so Can't Be Found</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432528"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id432536"></a> -Every industry eventually matures. One of the great areas of maturation is in -the focus that has been given over the past decade to make it possible for anyone -anywhere to use a computer. It has not always been that way. In fact, not so long -ago, it was common for software to be written for exclusive use in the country of -origin. -</p><p> -Of all the effort that has been brought to bear on providing native -language support for all computer users, the efforts of the -<a class="ulink" href="http://www.openi18n.org/" target="_top">Openi18n organization</a> -is deserving of special mention. -</p><p> -<a class="indexterm" name="id432559"></a> -Samba-2.x supported a single locale through a mechanism called -<span class="emphasis"><em>codepages</em></span>. Samba-3 is destined to become a truly transglobal -file- and printer-sharing platform. -</p></div><div class="sect1" title="What Are Charsets and Unicode?"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432573"></a>What Are Charsets and Unicode?</h2></div></div></div><p> -<a class="indexterm" name="id432581"></a> -Computers communicate in numbers. In texts, each number is -translated to a corresponding letter. The meaning that will be assigned -to a certain number depends on the <span class="emphasis"><em>character set (charset) -</em></span> that is used. -</p><p> -<a class="indexterm" name="id432597"></a> -<a class="indexterm" name="id432603"></a> -A charset can be seen as a table that is used to translate numbers to -letters. Not all computers use the same charset (there are charsets -with German umlauts, Japanese characters, and so on). The American Standard Code -for Information Interchange (ASCII) encoding system has been the normative character -encoding scheme used by computers to date. This employs a charset that contains -256 characters. Using this mode of encoding, each character takes exactly one byte. -</p><p> -<a class="indexterm" name="id432618"></a> -<a class="indexterm" name="id432624"></a> -There are also charsets that support extended characters, but those need at least -twice as much storage space as does ASCII encoding. Such charsets can contain -<code class="literal">256 * 256 = 65536</code> characters, which is more than all possible -characters one could think of. They are called multibyte charsets because they use -more then one byte to store one character. -</p><p> -<a class="indexterm" name="id432643"></a> -One standardized multibyte charset encoding scheme is known as -<a class="ulink" href="http://www.unicode.org/" target="_top">unicode</a>. A big advantage of using a -multibyte charset is that you only need one. There is no need to make sure two -computers use the same charset when they are communicating. -</p><p> -<a class="indexterm" name="id432661"></a> -<a class="indexterm" name="id432668"></a> -<a class="indexterm" name="id432675"></a> -Old Windows clients use single-byte charsets, named -<em class="parameter"><code>codepages</code></em>, by Microsoft. However, there is no support for -negotiating the charset to be used in the SMB/CIFS protocol. Thus, you -have to make sure you are using the same charset when talking to an older client. -Newer clients (Windows NT, 200x, XP) talk Unicode over the wire. -</p></div><div class="sect1" title="Samba and Charsets"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432692"></a>Samba and Charsets</h2></div></div></div><p> -<a class="indexterm" name="id432700"></a> -<a class="indexterm" name="id432707"></a> -As of Samba-3, Samba can (and will) talk Unicode over the wire. Internally, -Samba knows of three kinds of character sets: -</p><div class="variablelist"><dl><dt><span class="term"><a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a></span></dt><dd><p> -<a class="indexterm" name="id432737"></a> -<a class="indexterm" name="id432743"></a> - This is the charset used internally by your operating system. - The default is <code class="constant">UTF-8</code>, which is fine for most - systems and covers all characters in all languages. The default - in previous Samba releases was to save filenames in the encoding of the - clients for example, CP850 for Western European countries. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#DISPLAYCHARSET" target="_top">display charset</a></span></dt><dd><p>This is the charset Samba uses to print messages - on your screen. It should generally be the same as the <em class="parameter"><code>unix charset</code></em>. - </p></dd><dt><span class="term"><a class="link" href="smb.conf.5.html#DOSCHARSET" target="_top">dos charset</a></span></dt><dd><p>This is the charset Samba uses when communicating with - DOS and Windows 9x/Me clients. It will talk Unicode to all newer clients. - The default depends on the charsets you have installed on your system. - Run <code class="literal">testparm -v | grep "dos charset"</code> to see - what the default is on your system. - </p></dd></dl></div></div><div class="sect1" title="Conversion from Old Names"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432818"></a>Conversion from Old Names</h2></div></div></div><p> -<a class="indexterm" name="id432826"></a> -Because previous Samba versions did not do any charset conversion, -characters in filenames are usually not correct in the UNIX charset but only -for the local charset used by the DOS/Windows clients. -</p><p>Bjoern Jacke has written a utility named <a class="ulink" href="http://j3e.de/linux/convmv/" target="_top">convmv</a> -that can convert whole directory structures to different charsets with one single command. -</p></div><div class="sect1" title="Japanese Charsets"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id432847"></a>Japanese Charsets</h2></div></div></div><p> -Setting up Japanese charsets is quite difficult. This is mainly because: -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id432862"></a> - The Windows character set is extended from the original legacy Japanese - standard (JIS X 0208) and is not standardized. This means that the strictly - standardized implementation cannot support the full Windows character set. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id432875"></a> -<a class="indexterm" name="id432882"></a> -<a class="indexterm" name="id432889"></a> -<a class="indexterm" name="id432896"></a> -<a class="indexterm" name="id432902"></a> - Mainly for historical reasons, there are several encoding methods in - Japanese, which are not fully compatible with each other. There are - two major encoding methods. One is the Shift_JIS series used in Windows - and some UNIXes. The other is the EUC-JP series used in most UNIXes - and Linux. Moreover, Samba previously also offered several unique encoding - methods, named CAP and HEX, to keep interoperability with CAP/NetAtalk and - UNIXes that can't use Japanese filenames. Some implementations of the - EUC-JP series can't support the full Windows character set. - </p></li><li class="listitem"><p>There are some code conversion tables between Unicode and legacy - Japanese character sets. One is compatible with Windows, another one - is based on the reference of the Unicode consortium, and others are - a mixed implementation. The Unicode consortium does not officially - define any conversion tables between Unicode and legacy character - sets, so there cannot be standard one. - </p></li><li class="listitem"><p>The character set and conversion tables available in iconv() depend - on the iconv library that is available. Next to that, the Japanese locale - names may be different on different systems. This means that the value of - the charset parameters depends on the implementation of iconv() you are using. - </p><p> -<a class="indexterm" name="id432936"></a> -<a class="indexterm" name="id432943"></a> -<a class="indexterm" name="id432950"></a> -<a class="indexterm" name="id432957"></a> - Though 2-byte fixed UCS-2 encoding is used in Windows internally, - Shift_JIS series encoding is usually used in Japanese environments - as ASCII encoding is in English environments. - </p></li></ul></div><div class="sect2" title="Basic Parameter Setting"><div class="titlepage"><div><div><h3 class="title"><a name="id432968"></a>Basic Parameter Setting</h3></div></div></div><p> -<a class="indexterm" name="id432974"></a> - The <a class="link" href="smb.conf.5.html#DOSCHARSET" target="_top">dos charset</a> and - <a class="link" href="smb.conf.5.html#DISPLAYCHARSET" target="_top">display charset</a> - should be set to the locale compatible with the character set - and encoding method used on Windows. This is usually CP932 - but sometimes has a different name. - </p><p> -<a class="indexterm" name="id433008"></a> -<a class="indexterm" name="id433014"></a> -<a class="indexterm" name="id433021"></a> - The <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a> can be either Shift_JIS series, - EUC-JP series, or UTF-8. UTF-8 is always available, but the availability of other locales - and the name itself depends on the system. - </p><p> - Additionally, you can consider using the Shift_JIS series as the - value of the <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a> - parameter by using the vfs_cap module, which does the same thing as - setting <span class="quote">“<span class="quote">coding system = CAP</span>”</span> in the Samba 2.2 series. - </p><p> - Where to set <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a> - to is a difficult question. Here is a list of details, advantages, and - disadvantages of using a certain value. - </p><div class="variablelist"><dl><dt><span class="term">Shift_JIS series</span></dt><dd><p> - Shift_JIS series means a locale that is equivalent to <code class="constant">Shift_JIS</code>, - used as a standard on Japanese Windows. In the case of <code class="constant">Shift_JIS</code>, - for example, if a Japanese filename consists of 0x8ba4 and 0x974c - (a 4-bytes Japanese character string meaning <span class="quote">“<span class="quote">share</span>”</span>) and <span class="quote">“<span class="quote">.txt</span>”</span> - is written from Windows on Samba, the filename on UNIX becomes - 0x8ba4, 0x974c, <span class="quote">“<span class="quote">.txt</span>”</span> (an 8-byte BINARY string), same as Windows. - </p><p>Since Shift_JIS series is usually used on some commercial-based - UNIXes; hp-ux and AIX as the Japanese locale (however, it is also possible - to use the EUC-JP locale series). To use Shift_JIS series on these platforms, - Japanese filenames created from Windows can be referred to also on - UNIX.</p><p> - If your UNIX is already working with Shift_JIS and there is a user - who needs to use Japanese filenames written from Windows, the - Shift_JIS series is the best choice. However, broken filenames - may be displayed, and some commands that cannot handle non-ASCII - filenames may be aborted during parsing filenames. Especially, there - may be <span class="quote">“<span class="quote">\ (0x5c)</span>”</span> in filenames, which need to be handled carefully. - It is best to not touch filenames written from Windows on UNIX. - </p><p> - Note that most Japanized free software actually works with EUC-JP - only. It is good practice to verify that the Japanized free software can work - with Shift_JIS. - </p></dd><dt><span class="term">EUC-JP series</span></dt><dd><p> -<a class="indexterm" name="id433138"></a> -<a class="indexterm" name="id433145"></a> - EUC-JP series means a locale that is equivalent to the industry - standard called EUC-JP, widely used in Japanese UNIX (although EUC - contains specifications for languages other than Japanese, such as - EUC-KR). In the case of EUC-JP series, for example, if a Japanese - filename consists of 0x8ba4 and 0x974c and <span class="quote">“<span class="quote">.txt</span>”</span> is written from - Windows on Samba, the filename on UNIX becomes 0xb6a6, 0xcdad, - <span class="quote">“<span class="quote">.txt</span>”</span> (an 8-byte BINARY string). - </p><p> -<a class="indexterm" name="id433166"></a> -<a class="indexterm" name="id433172"></a> -<a class="indexterm" name="id433179"></a> -<a class="indexterm" name="id433186"></a> -<a class="indexterm" name="id433193"></a> -<a class="indexterm" name="id433200"></a> -<a class="indexterm" name="id433206"></a> -<a class="indexterm" name="id433213"></a> -<a class="indexterm" name="id433220"></a> -<a class="indexterm" name="id433227"></a> - Since EUC-JP is usually used on open source UNIX, Linux, and FreeBSD, and on commercial-based UNIX, Solaris, - IRIX, and Tru64 UNIX as Japanese locale (however, it is also possible on Solaris to use Shift_JIS and UTF-8, - and on Tru64 UNIX it is possible to use Shift_JIS). To use EUC-JP series, most Japanese filenames created from - Windows can be referred to also on UNIX. Also, most Japanized free software works mainly with EUC-JP only. - </p><p> - It is recommended to choose EUC-JP series when using Japanese filenames on UNIX. - </p><p> - Although there is no character that needs to be carefully treated - like <span class="quote">“<span class="quote">\ (0x5c)</span>”</span>, broken filenames may be displayed and some - commands that cannot handle non-ASCII filenames may be aborted - during parsing filenames. - </p><p> -<a class="indexterm" name="id433254"></a> - Moreover, if you built Samba using differently installed libiconv, - the eucJP-ms locale included in libiconv and EUC-JP series locale - included in the operating system may not be compatible. In this case, you may need to - avoid using incompatible characters for filenames. - </p></dd><dt><span class="term">UTF-8</span></dt><dd><p> - UTF-8 means a locale equivalent to UTF-8, the international standard defined by the Unicode consortium. In - UTF-8, a <em class="parameter"><code>character</code></em> is expressed using 1 to 3 bytes. In case of the Japanese language, - most characters are expressed using 3 bytes. Since on Windows Shift_JIS, where a character is expressed with 1 - or 2 bytes is used to express Japanese, basically a byte length of a UTF-8 string the length of the UTF-8 - string is 1.5 times that of the original Shift_JIS string. In the case of UTF-8, for example, if a Japanese - filename consists of 0x8ba4 and 0x974c, and <span class="quote">“<span class="quote">.txt</span>”</span> is written from Windows on Samba, the filename - on UNIX becomes 0xe585, 0xb1e6, 0x9c89, <span class="quote">“<span class="quote">.txt</span>”</span> (a 10-byte BINARY string). - </p><p> - For systems where iconv() is not available or where iconv()'s locales - are not compatible with Windows, UTF-8 is the only locale available. - </p><p> - There are no systems that use UTF-8 as the default locale for Japanese. - </p><p> - Some broken filenames may be displayed, and some commands that - cannot handle non-ASCII filenames may be aborted during parsing - filenames. Especially, there may be <span class="quote">“<span class="quote">\ (0x5c)</span>”</span> in filenames, which - must be handled carefully, so you had better not touch filenames - written from Windows on UNIX. - </p><p> -<a class="indexterm" name="id433314"></a> -<a class="indexterm" name="id433321"></a> -<a class="indexterm" name="id433328"></a> - In addition, although it is not directly concerned with Samba, since - there is a delicate difference between the iconv() function, which is - generally used on UNIX, and the functions used on other platforms, - such as Windows and Java, so far is concerns the conversion between - Shift_JIS and Unicode UTF-8 must be done with care and recognition - of the limitations involved in the process. - </p><p> -<a class="indexterm" name="id433341"></a> - Although Mac OS X uses UTF-8 as its encoding method for filenames, - it uses an extended UTF-8 specification that Samba cannot handle, so - UTF-8 locale is not available for Mac OS X. - </p></dd><dt><span class="term">Shift_JIS series + vfs_cap (CAP encoding)</span></dt><dd><p> -<a class="indexterm" name="id433361"></a> -<a class="indexterm" name="id433367"></a> -<a class="indexterm" name="id433374"></a> - CAP encoding means a specification used in CAP and NetAtalk, file - server software for Macintosh. In the case of CAP encoding, for - example, if a Japanese filename consists of 0x8ba4 and 0x974c, and - <span class="quote">“<span class="quote">.txt</span>”</span> is written from Windows on Samba, the filename on UNIX - becomes <span class="quote">“<span class="quote">:8b:a4:97L.txt</span>”</span> (a 14 bytes ASCII string). - </p><p> - For CAP encoding, a byte that cannot be expressed as an ASCII - character (0x80 or above) is encoded in an <span class="quote">“<span class="quote">:xx</span>”</span> form. You need to take - care of containing a <span class="quote">“<span class="quote">\(0x5c)</span>”</span> in a filename, but filenames are not - broken in a system that cannot handle non-ASCII filenames. - </p><p> - The greatest merit of CAP encoding is the compatibility of encoding - filenames with CAP or NetAtalk. These are respectively the Columbia Appletalk - Protocol, and the NetAtalk Open Source software project. - Since these software applications write a file name on UNIX with CAP encoding, if a - directory is shared with both Samba and NetAtalk, you need to use - CAP encoding to avoid non-ASCII filenames from being broken. - </p><p> - However, recently, NetAtalk has been - patched on some systems to write filenames with EUC-JP (e.g., Japanese original Vine Linux). - In this case, you need to choose EUC-JP series instead of CAP encoding. - </p><p> - vfs_cap itself is available for non-Shift_JIS series locales for - systems that cannot handle non-ASCII characters or systems that - share files with NetAtalk. - </p><p> - To use CAP encoding on Samba-3, you should use the unix charset parameter and VFS - as in <a class="link" href="unicode.html#vfscap-intl" title="Example 30.1. VFS CAP">the VFS CAP smb.conf file</a>. - </p><div class="example"><a name="vfscap-intl"></a><p class="title"><b>Example 30.1. VFS CAP</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td># the locale name "CP932" may be different</td></tr><tr><td><a class="indexterm" name="id433460"></a><em class="parameter"><code>dos charset = CP932</code></em></td></tr><tr><td><a class="indexterm" name="id433472"></a><em class="parameter"><code>unix charset = CP932</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[cap-share]</code></em></td></tr><tr><td><a class="indexterm" name="id433492"></a><em class="parameter"><code>vfs option = cap</code></em></td></tr></table></div></div><br class="example-break"><p> -<a class="indexterm" name="id433507"></a> -<a class="indexterm" name="id433514"></a> -<a class="indexterm" name="id433521"></a> -<a class="indexterm" name="id433527"></a> - You should set CP932 if using GNU libiconv for unix charset. With this setting, - filenames in the <span class="quote">“<span class="quote">cap-share</span>”</span> share are written with CAP encoding. - </p></dd></dl></div></div><div class="sect2" title="Individual Implementations"><div class="titlepage"><div><div><h3 class="title"><a name="id433545"></a>Individual Implementations</h3></div></div></div><p> -Here is some additional information regarding individual implementations: -</p><div class="variablelist"><dl><dt><span class="term">GNU libiconv</span></dt><dd><p> - To handle Japanese correctly, you should apply the patch - <a class="ulink" href="http://www2d.biglobe.ne.jp/~msyk/software/libiconv-patch.html" target="_top">libiconv-1.8-cp932-patch.diff.gz</a> - to libiconv-1.8. - </p><p> - Using the patched libiconv-1.8, these settings are available: - </p><pre class="programlisting"> -dos charset = CP932 -unix charset = CP932 / eucJP-ms / UTF-8 - | | - | +-- EUC-JP series - +-- Shift_JIS series -display charset = CP932 -</pre><p> - Other Japanese locales (for example, Shift_JIS and EUC-JP) should not - be used because of the lack of the compatibility with Windows. - </p></dd><dt><span class="term">GNU glibc</span></dt><dd><p> - To handle Japanese correctly, you should apply a <a class="ulink" href="http://www2d.biglobe.ne.jp/~msyk/software/glibc/" target="_top">patch</a> - to glibc-2.2.5/2.3.1/2.3.2 or should use the patch-merged versions, glibc-2.3.3 or later. - </p><p> - Using the above glibc, these setting are available: - </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id433613"></a><em class="parameter"><code>dos charset = CP932</code></em></td></tr><tr><td><a class="indexterm" name="id433625"></a><em class="parameter"><code>unix charset = CP932 / eucJP-ms / UTF-8</code></em></td></tr><tr><td><a class="indexterm" name="id433636"></a><em class="parameter"><code>display charset = CP932</code></em></td></tr></table><p> - </p><p> - Other Japanese locales (for example, Shift_JIS and EUC-JP) should not - be used because of the lack of the compatibility with Windows. - </p></dd></dl></div></div><div class="sect2" title="Migration from Samba-2.2 Series"><div class="titlepage"><div><div><h3 class="title"><a name="id433658"></a>Migration from Samba-2.2 Series</h3></div></div></div><p> -Prior to Samba-2.2 series, the <span class="quote">“<span class="quote">coding system</span>”</span> parameter was used. The default codepage in Samba -2.x was code page 850. In the Samba-3 series this has been replaced with the <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a> parameter. <a class="link" href="unicode.html#japancharsets" title="Table 30.1. Japanese Character Sets in Samba-2.2 and Samba-3">Japanese Character Sets in Samba-2.2 and Samba-3</a> -shows the mapping table when migrating from the Samba-2.2 series to Samba-3. -</p><div class="table"><a name="japancharsets"></a><p class="title"><b>Table 30.1. Japanese Character Sets in Samba-2.2 and Samba-3</b></p><div class="table-contents"><table summary="Japanese Character Sets in Samba-2.2 and Samba-3" border="1"><colgroup><col align="center"><col align="center"></colgroup><thead><tr><th align="center">Samba-2.2 Coding System</th><th align="center">Samba-3 unix charset</th></tr></thead><tbody><tr><td align="center">SJIS</td><td align="center">Shift_JIS series</td></tr><tr><td align="center">EUC</td><td align="center">EUC-JP series</td></tr><tr><td align="center">EUC3<sup>[<a name="id433747" href="#ftn.id433747" class="footnote">a</a>]</sup></td><td align="center">EUC-JP series</td></tr><tr><td align="center">CAP</td><td align="center">Shift_JIS series + VFS</td></tr><tr><td align="center">HEX</td><td align="center">currently none</td></tr><tr><td align="center">UTF8</td><td align="center">UTF-8</td></tr><tr><td align="center">UTF8-Mac<sup>[<a name="id433778" href="#ftn.id433778" class="footnote">b</a>]</sup></td><td align="center">currently none</td></tr><tr><td align="center">others</td><td align="center">none</td></tr></tbody><tbody class="footnotes"><tr><td colspan="2"><div class="footnote"><p><sup>[<a name="ftn.id433747" href="#id433747" class="para">a</a>] </sup>Only exists in Japanese Samba version</p></div><div class="footnote"><p><sup>[<a name="ftn.id433778" href="#id433778" class="para">b</a>] </sup>Only exists in Japanese Samba version</p></div></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id433797"></a>Common Errors</h2></div></div></div><div class="sect2" title="CP850.so Can't Be Found"><div class="titlepage"><div><div><h3 class="title"><a name="id433803"></a>CP850.so Can't Be Found</h3></div></div></div><p><span class="quote">“<span class="quote">Samba is complaining about a missing <code class="filename">CP850.so</code> file.</span>”</span></p><p> - CP850 is the default <a class="link" href="smb.conf.5.html#DOSCHARSET" target="_top">dos charset</a>. - The <a class="link" href="smb.conf.5.html#DOSCHARSET" target="_top">dos charset</a> is used to convert data to the codepage used by your DOS clients. - If you do not have any DOS clients, you can safely ignore this message. </p><p> - CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed. - If you compiled Samba from source, make sure that the configure process found iconv. This can be - confirmed by checking the <code class="filename">config.log</code> file that is generated when - <code class="literal">configure</code> is executed.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. Integrating MS Windows Networks with Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Backup Techniques</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html b/docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html deleted file mode 100644 index e363ba9cf7..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html +++ /dev/null @@ -1,369 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 35. Updating and Upgrading Samba</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="prev" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 36. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 35. Updating and Upgrading Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 35. Updating and Upgrading Samba"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 35. Updating and Upgrading Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">August 16, 2007</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="upgrading-to-3.0.html#id438461">Key Update Requirements</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438485">Upgrading from Samba-3.0.x to Samba-3.2.0</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#oldupdatenotes">Upgrading from Samba-2.x to Samba-3.0.25</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438531">Quick Migration Guide</a></span></dt></dl></dd><dt><span class="sect1"><a href="upgrading-to-3.0.html#id438669">New Features in Samba-3.x Series</a></span></dt><dd><dl><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438678">New Features in Samba-3.2.x Series</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id438918">New Features in Samba-3.0.x</a></span></dt><dt><span class="sect2"><a href="upgrading-to-3.0.html#id440069">New Functionality</a></span></dt></dl></dd></dl></div><p> -This chapter provides a detailed record of changes made during the 3.x series releases. At this time this -series consists of the 3.0.x series that is under the GNU GPL version 2 license, and the Samba 3.2.x series -that is being released under the terms of the GNU GPL version 3 license. -</p><div class="sect1" title="Key Update Requirements"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id438461"></a>Key Update Requirements</h2></div></div></div><p> -Samba is a fluid product in which there may be significant changes between releases. Some of these changes are -brought about as a result of changes in the protocols that are used by Microsoft Windows network clients as a -result of security or functionality updates through official Microsoft patches and updates. Samba must track -such changes, particularly where they affect the internal operation of Samba itself. -</p><p> -Please refer to any notes below that make explicit mention of the version of Samba you are using. In general, -all changes that apply to a new release will apply to follow-on releases also. For example, changes to Samba -3.0.23 affect all releases up to an including 3.0.25 and later. Samba 3.2.x was originaly cut from Samba -3.0.25 before 3.2.0-specific changes were applied. Unless a 3.0.x series feature is specifically revoked, the -behavior of the 3.2.x series can be expected to follow the earlier pattern. -</p><div class="sect2" title="Upgrading from Samba-3.0.x to Samba-3.2.0"><div class="titlepage"><div><div><h3 class="title"><a name="id438485"></a>Upgrading from Samba-3.0.x to Samba-3.2.0</h3></div></div></div><p> -</p></div><div class="sect2" title="Upgrading from Samba-2.x to Samba-3.0.25"><div class="titlepage"><div><div><h3 class="title"><a name="oldupdatenotes"></a>Upgrading from Samba-2.x to Samba-3.0.25</h3></div></div></div><p> -<a class="indexterm" name="id438507"></a> -<a class="indexterm" name="id438513"></a> -<a class="indexterm" name="id438520"></a> -This chapter deals exclusively with the differences between Samba-3.0.25 and Samba-2.2.8a. -It points out where configuration parameters have changed, and provides a simple guide for -the move from 2.2.x to 3.0.25. -</p></div><div class="sect2" title="Quick Migration Guide"><div class="titlepage"><div><div><h3 class="title"><a name="id438531"></a>Quick Migration Guide</h3></div></div></div><p> -Samba-3.0.25 default behavior should be approximately the same as Samba-2.2.x. -The default behavior when the new parameter <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a> -is not defined in the <code class="filename">smb.conf</code> file provides the same default behavior as Samba-2.2.x -with <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords = Yes</a> and -will use the <code class="filename">smbpasswd</code> database. -</p><p> -<a class="indexterm" name="id438577"></a> -<a class="indexterm" name="id438584"></a> -So why say that <span class="emphasis"><em>behavior should be approximately the same as Samba-2.2.x</em></span>? Because -Samba-3.0.25 can negotiate new protocols, such as support for native Unicode, that may result in -differing protocol code paths being taken. The new behavior under such circumstances is not -exactly the same as the old one. The good news is that the domain and machine SIDs will be -preserved across the upgrade. -</p><p> -<a class="indexterm" name="id438601"></a> -<a class="indexterm" name="id438608"></a> -<a class="indexterm" name="id438615"></a> -<a class="indexterm" name="id438621"></a> -If the Samba-2.2.x system is using an LDAP backend, and there is no time to update the LDAP -database, then make sure that <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend = ldapsam_compat</a> -is specified in the <code class="filename">smb.conf</code> file. For the rest, behavior should remain more or less the same. -At a later date, when there is time to implement a new Samba-3-compatible LDAP backend, it is possible -to migrate the old LDAP database to the new one through use of the <code class="literal">pdbedit</code>. -See <a class="link" href="passdb.html#pdbeditthing" title="The pdbedit Tool">The <span class="emphasis"><em>pdbedit</em></span> Command</a>. -</p></div></div><div class="sect1" title="New Features in Samba-3.x Series"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id438669"></a>New Features in Samba-3.x Series</h2></div></div></div><p> -</p><div class="sect2" title="New Features in Samba-3.2.x Series"><div class="titlepage"><div><div><h3 class="title"><a name="id438678"></a>New Features in Samba-3.2.x Series</h3></div></div></div><p>Samba is now distributed under the version 3 -of the new GNU General Public License. -</p><p> -The major new features are: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> -<a class="indexterm" name="id438702"></a> -<a class="indexterm" name="id438709"></a> - Removal of the 1024 byte limit on pathnames and 256 byte limit on - filename components to honor the MAX_PATH setting from the host OS. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438722"></a> -<a class="indexterm" name="id438728"></a> - Introduction of a registry based configuration system. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438740"></a> - Experimental support for file serving clusters. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438752"></a> - Support for IPv6 in the server, and client tools and libraries. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438763"></a> - Support for storing alternate data streams in xattrs. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438775"></a> - Encrypted SMB transport in client tools and libraries, and server. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438787"></a> - Support for Vista clients authenticating via Kerberos. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438799"></a> -<a class="indexterm" name="id438805"></a> - Full support for Windows 2003 cross-forest, transitive trusts - and one-way domain trusts. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438817"></a> - Support for userPrincipalName logons via pam_winbind and NSS lookups. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438829"></a> -<a class="indexterm" name="id438836"></a> -<a class="indexterm" name="id438843"></a> - Support for Active Directory LDAP Signing policy. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438854"></a> -<a class="indexterm" name="id438861"></a> - New LGPL Winbind client library (libwbclient.so). - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438873"></a> -<a class="indexterm" name="id438879"></a> - Support for establishing interdomain trust relationships with Windows 2008. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438891"></a> - New client and server support for remotely joining and unjoining Domains. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438904"></a> - Support for joining into Windows 2008 domains. - </p></li></ol></div><p> -Plus lots of other improvements! -</p></div><div class="sect2" title="New Features in Samba-3.0.x"><div class="titlepage"><div><div><h3 class="title"><a name="id438918"></a>New Features in Samba-3.0.x</h3></div></div></div><p> -The major new features are: -</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> -<a class="indexterm" name="id438939"></a> -<a class="indexterm" name="id438946"></a> - Active Directory support. This release is able to join an ADS realm - as a member server and authenticate users using LDAP/Kerberos. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438958"></a> -<a class="indexterm" name="id438965"></a> - Unicode support. Samba will now negotiate Unicode on the wire, and - internally there is a much better infrastructure for multibyte - and Unicode character sets. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438978"></a> - New authentication system. The internal authentication system has - been almost completely rewritten. Most of the changes are internal, - but the new authoring system is also very configurable. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id438990"></a> - New filename mangling system. The filename mangling system has been - completely rewritten. An internal database now stores mangling maps - persistently. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439003"></a> - New <span class="quote">“<span class="quote">net</span>”</span> command. A new <span class="quote">“<span class="quote">net</span>”</span> command has been added. It is - somewhat similar to the <span class="quote">“<span class="quote">net</span>”</span> command in Windows. Eventually, we - plan to replace a bunch of other utilities (such as smbpasswd) - with subcommands in <span class="quote">“<span class="quote">net</span>”</span>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439029"></a> - Samba now negotiates NT-style status32 codes on the wire. This - considerably improves error handling. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439041"></a> - Better Windows 200x/XP printing support, including publishing - printer attributes in Active Directory. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439054"></a> -<a class="indexterm" name="id439060"></a> -<a class="indexterm" name="id439067"></a> - New loadable RPC modules for passdb backends and character sets. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439079"></a> - New default dual-daemon winbindd support for better performance. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439091"></a> -<a class="indexterm" name="id439097"></a> -<a class="indexterm" name="id439104"></a> - Support for migrating from a Windows NT 4.0 domain to a Samba - domain and maintaining user, group, and domain SIDs. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439116"></a> -<a class="indexterm" name="id439123"></a> - Support for establishing trust relationships with Windows NT 4.0 - domain controllers. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439135"></a> -<a class="indexterm" name="id439142"></a> -<a class="indexterm" name="id439148"></a> - Initial support for a distributed Winbind architecture using - an LDAP directory for storing SID to UID/GID mappings. - </p></li><li class="listitem"><p> - Major updates to the Samba documentation tree. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id439166"></a> -<a class="indexterm" name="id439172"></a> - Full support for client and server SMB signing to ensure - compatibility with default Windows 2003 security settings. - </p></li></ol></div><p> -Plus lots of other improvements! -</p><div class="sect3" title="Configuration Parameter Changes"><div class="titlepage"><div><div><h4 class="title"><a name="id439186"></a>Configuration Parameter Changes</h4></div></div></div><p> -This section contains a brief listing of changes to <code class="filename">smb.conf</code> options since the Samba-2.2.x series up to and -including Samba-3.0.25. -</p><p> -Please refer to the smb.conf(5) man page for complete descriptions of new or modified -parameters. -</p><p> -Whenever a Samba update or upgrade is performed it is highly recommended to read the file called -<span class="emphasis"><em>WHATSNEW.txt</em></span> that is part of the Samba distribution tarball. This file may also -be obtain on-line from the Samba <a class="ulink" href="http://www.samba.org/samba/" target="_top">web site</a>, in -the right column, under Current Stable Release, by clicking on <span class="emphasis"><em>Release Notes</em></span>. -</p></div><div class="sect3" title="Removed Parameters"><div class="titlepage"><div><div><h4 class="title"><a name="id439226"></a>Removed Parameters</h4></div></div></div><a class="indexterm" name="id439231"></a><p> -In alphabetical order, these are the parameters eliminated from Samba-2.2.x through 3.0.25. -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>admin log</p></li><li class="listitem"><p>alternate permissions</p></li><li class="listitem"><p>character set</p></li><li class="listitem"><p>client codepage</p></li><li class="listitem"><p>code page directory</p></li><li class="listitem"><p>coding system</p></li><li class="listitem"><p>domain admin group</p></li><li class="listitem"><p>domain guest group</p></li><li class="listitem"><p>enable rid algorithm</p></li><li class="listitem"><p>enable svcctl</p></li><li class="listitem"><p>force unknown acl user</p></li><li class="listitem"><p>hosts equiv</p></li><li class="listitem"><p>ldap filter</p></li><li class="listitem"><p>min password length</p></li><li class="listitem"><p>nt smb support</p></li><li class="listitem"><p>post script</p></li><li class="listitem"><p>printer admin</p></li><li class="listitem"><p>printer driver</p></li><li class="listitem"><p>printer driver file</p></li><li class="listitem"><p>printer driver location</p></li><li class="listitem"><p>read size</p></li><li class="listitem"><p>source environment</p></li><li class="listitem"><p>status </p></li><li class="listitem"><p>strip dot </p></li><li class="listitem"><p>total print jobs</p></li><li class="listitem"><p>unicode</p></li><li class="listitem"><p>use rhosts</p></li><li class="listitem"><p>valid chars</p></li><li class="listitem"><p>vfs options</p></li><li class="listitem"><p>winbind enable local accounts</p></li><li class="listitem"><p>winbind max idle children</p></li><li class="listitem"><p>wins partners</p></li></ul></div></div><div class="sect3" title="New Parameters"><div class="titlepage"><div><div><h4 class="title"><a name="id439392"></a>New Parameters</h4></div></div></div><p>The following new parameters have been released up to and including Samba 3.0.25 (grouped by function:)</p><p>Remote Management</p><a class="indexterm" name="id439405"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>abort shutdown script</p></li><li class="listitem"><p>shutdown script</p></li></ul></div><p>User and Group Account Management</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>add group script</p></li><li class="listitem"><p>add machine script</p></li><li class="listitem"><p>add user to group script</p></li><li class="listitem"><p>algorithmic rid base</p></li><li class="listitem"><p>delete group script</p></li><li class="listitem"><p>delete user from group script</p></li><li class="listitem"><p>passdb backend</p></li><li class="listitem"><p>rename user script</p></li><li class="listitem"><p>set primary group script</p></li><li class="listitem"><p>username map script</p></li></ul></div><p>Authentication</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>auth methods</p></li><li class="listitem"><p>ldap password sync</p></li><li class="listitem"><p>passdb expand explicit</p></li><li class="listitem"><p>realm</p></li></ul></div><p>Protocol Options</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>add port command</p></li><li class="listitem"><p>afs token lifetime</p></li><li class="listitem"><p>client lanman auth</p></li><li class="listitem"><p>client NTLMv2 auth</p></li><li class="listitem"><p>client schannel</p></li><li class="listitem"><p>client signing</p></li><li class="listitem"><p>client use spnego</p></li><li class="listitem"><p>defer sharing violations</p></li><li class="listitem"><p>disable netbios</p></li><li class="listitem"><p>dmapi support</p></li><li class="listitem"><p>enable privileges</p></li><li class="listitem"><p>use kerberos keytab</p></li><li class="listitem"><p>log nt token command</p></li><li class="listitem"><p>ntlm auth</p></li><li class="listitem"><p>paranoid server security </p></li><li class="listitem"><p>sendfile</p></li><li class="listitem"><p>server schannel</p></li><li class="listitem"><p>server signing</p></li><li class="listitem"><p>smb ports</p></li><li class="listitem"><p>svcctl list</p></li><li class="listitem"><p>use spnego</p></li></ul></div><p>File Service</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>allocation roundup size</p></li><li class="listitem"><p>acl check permissions</p></li><li class="listitem"><p>acl group control</p></li><li class="listitem"><p>acl map full control</p></li><li class="listitem"><p>aio read size</p></li><li class="listitem"><p>aio write size</p></li><li class="listitem"><p>dfree cache time</p></li><li class="listitem"><p>dfree command</p></li><li class="listitem"><p>ea support</p></li><li class="listitem"><p>enable asu support</p></li><li class="listitem"><p>fam change notify</p></li><li class="listitem"><p>force unknown acl user</p></li><li class="listitem"><p>get quota command</p></li><li class="listitem"><p>hide special files</p></li><li class="listitem"><p>hide unwriteable files</p></li><li class="listitem"><p>inherit owner</p></li><li class="listitem"><p>hostname lookups</p></li><li class="listitem"><p>kernel change notify</p></li><li class="listitem"><p>mangle prefix</p></li><li class="listitem"><p>map acl inherit</p></li><li class="listitem"><p>map read only</p></li><li class="listitem"><p>max stat cache size</p></li><li class="listitem"><p>msdfs proxy</p></li><li class="listitem"><p>open files database hash size</p></li><li class="listitem"><p>set quota command</p></li><li class="listitem"><p>store dos attributes</p></li><li class="listitem"><p>use sendfile</p></li><li class="listitem"><p>usershare allow guests</p></li><li class="listitem"><p>usershare max shares</p></li><li class="listitem"><p>usershare owner only</p></li><li class="listitem"><p>usershare path</p></li><li class="listitem"><p>usershare prefix allow list</p></li><li class="listitem"><p>usershare prefix deny list</p></li><li class="listitem"><p>usershare template share</p></li><li class="listitem"><p>vfs objects</p></li></ul></div><p>Printing</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>cups options</p></li><li class="listitem"><p>cups server</p></li><li class="listitem"><p>force printername</p></li><li class="listitem"><p>iprint server</p></li><li class="listitem"><p>max reported print jobs</p></li><li class="listitem"><p>printcap cache time</p></li></ul></div><p>Unicode and Character Sets</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>display charset</p></li><li class="listitem"><p>dos charset</p></li><li class="listitem"><p>UNIX charset</p></li></ul></div><p>SID to UID/GID Mappings</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>idmap backend</p></li><li class="listitem"><p>idmap gid</p></li><li class="listitem"><p>idmap uid</p></li><li class="listitem"><p>username map script</p></li><li class="listitem"><p>winbind nss info</p></li><li class="listitem"><p>winbind offline logon</p></li><li class="listitem"><p>winbind refresh tickets</p></li><li class="listitem"><p>winbind trusted domains only</p></li><li class="listitem"><p>template primary group</p></li></ul></div><p>LDAP</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>ldap delete dn</p></li><li class="listitem"><p>ldap group suffix</p></li><li class="listitem"><p>ldap idmap suffix</p></li><li class="listitem"><p>ldap machine suffix</p></li><li class="listitem"><p>ldap passwd sync</p></li><li class="listitem"><p>ldap replication sleep</p></li><li class="listitem"><p>ldap timeout</p></li><li class="listitem"><p>ldap user suffix</p></li></ul></div><p>General Configuration</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>eventlog list</p></li><li class="listitem"><p>preload modules</p></li><li class="listitem"><p>reset on zero vc</p></li><li class="listitem"><p>privatedir</p></li></ul></div></div><div class="sect3" title="Modified Parameters (Changes in Behavior)"><div class="titlepage"><div><div><h4 class="title"><a name="id439940"></a>Modified Parameters (Changes in Behavior)</h4></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>acl group control (new default is No, deprecated parameter)</p></li><li class="listitem"><p>change notify timeout (scope changed)</p></li><li class="listitem"><p>dos filemode (disabled by default)</p></li><li class="listitem"><p>dos filetimes (enabled by default)</p></li><li class="listitem"><p>enable asu support (disabled by default)</p></li><li class="listitem"><p>enable privileges (enabled by default)</p></li><li class="listitem"><p>encrypt passwords (enabled by default) </p></li><li class="listitem"><p>host msdfs (enabled by default)</p></li><li class="listitem"><p>mangling method (set to hash2 by default) </p></li><li class="listitem"><p>map to guest</p></li><li class="listitem"><p>only user (deprecated)</p></li><li class="listitem"><p>passwd chat</p></li><li class="listitem"><p>passwd program</p></li><li class="listitem"><p>password server</p></li><li class="listitem"><p>restrict anonymous (integer value)</p></li><li class="listitem"><p>security (new ads value)</p></li><li class="listitem"><p>strict locking (auto by default)</p></li><li class="listitem"><p>winbind cache time (increased to 5 minutes)</p></li><li class="listitem"><p>winbind enum groups (disabled by default)</p></li><li class="listitem"><p>winbind enum users (disabled by default)</p></li><li class="listitem"><p>winbind nested groups (enabled by default)</p></li><li class="listitem"><p>winbind uid (deprecated in favor of idmap uid)</p></li><li class="listitem"><p>winbind gid (deprecated in favor of idmap gid)</p></li><li class="listitem"><p>winbindd nss info</p></li><li class="listitem"><p>write cache (deprecated)</p></li></ul></div></div></div><div class="sect2" title="New Functionality"><div class="titlepage"><div><div><h3 class="title"><a name="id440069"></a>New Functionality</h3></div></div></div><p> -<a class="indexterm" name="id440076"></a> - The major changes in behavior since that Samba-2.2.x series are documented in this section. - Please refer to the <code class="filename">WHATSNEW.txt</code> file that ships with every release of - Samba to obtain detailed information regarding the changes that have been made during the - life of the current Samba release. - </p><div class="sect3" title="TDB Data Files"><div class="titlepage"><div><div><h4 class="title"><a name="id440092"></a>TDB Data Files</h4></div></div></div><a class="indexterm" name="id440098"></a><p> - Refer to <a class="link" href="install.html" title="Chapter 1. How to Install and Test SAMBA">Installation, Chapter 1</a>, <a class="link" href="install.html#tdbdocs" title="TDB Database File Information">Chapter 1</a> - for information pertaining to the Samba-3 data files, their location and the information that must be - preserved across server migrations, updates and upgrades. - </p><p> -<a class="indexterm" name="id440126"></a> - Please remember to back up your existing ${lock directory}/*tdb before upgrading to Samba-3. If necessary, - Samba will upgrade databases as they are opened. Downgrading from Samba-3 to 2.2, or reversion to an earlier - version of Samba-3 from a later release, is an unsupported path. - </p><p> -<a class="indexterm" name="id440138"></a> - The old Samba-2.2.x tdb files are described in <a class="link" href="upgrading-to-3.0.html#oldtdbfiledesc" title="Table 35.1. Samba-2.2.x TDB File Descriptions">the next table</a>. - </p><div class="table"><a name="oldtdbfiledesc"></a><p class="title"><b>Table 35.1. Samba-2.2.x TDB File Descriptions</b></p><div class="table-contents"><table summary="Samba-2.2.x TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup?</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify">User policy settings</td><td align="left">yes</td></tr><tr><td align="left">brlock</td><td align="justify">Byte-range file locking information.</td><td align="left">no</td></tr><tr><td align="left">connections</td><td align="justify"><p>Client connection information</p></td><td align="left">no</td></tr><tr><td align="left">locking</td><td align="justify">Temporary file locking data.</td><td align="left">no</td></tr><tr><td align="left">messages</td><td align="justify"><p>Temporary storage of messages being processed by smbd.</p></td><td align="left">no</td></tr><tr><td align="left">ntdrivers</td><td align="justify"><p>Stores per-printer driver information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntforms</td><td align="justify"><p>Stores per-printer forms information.</p></td><td align="left">yes</td></tr><tr><td align="left">ntprinters</td><td align="justify"><p>Stores the per-printer devmode configuration settings.</p></td><td align="left">yes</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from lpq command created on a per-print-service basis.</p></td><td align="left">no</td></tr><tr><td align="left">registry</td><td align="justify"><p>Read-only Samba registry skeleton that provides support for - exporting various database tables via the winreg RPCs.</p></td><td align="left">no</td></tr><tr><td align="left">sessionid</td><td align="justify"><p>Temporary cache for miscellaneous session information.</p></td><td align="left">no</td></tr><tr><td align="left">share_info</td><td align="justify">Share ACL settings.</td><td align="left">yes</td></tr><tr><td align="left">unexpected</td><td align="justify"><p>Packets received for which no process was listening.</p></td><td align="left">no</td></tr><tr><td align="left">winbindd_cache</td><td align="justify"><p>Cache of identity information received from an NT4 or an ADS domain.</p></td><td align="left">yes</td></tr><tr><td align="left">winbindd_idmap</td><td align="justify"><p>New ID map table from SIDS to UNIX UIDs/GIDs.</p></td><td align="left">yes</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" title="Changes in Behavior"><div class="titlepage"><div><div><h4 class="title"><a name="id440430"></a>Changes in Behavior</h4></div></div></div><p> - The following issues are known changes in behavior between Samba-2.2 and - Samba-3 that may affect certain installations of Samba. - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> -<a class="indexterm" name="id440450"></a> -<a class="indexterm" name="id440456"></a> -<a class="indexterm" name="id440463"></a> - When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC - to the <span class="quote">“<span class="quote">guest account</span>”</span> if a UID could not be obtained via the getpwnam() call. Samba-3 rejects - the connection with the error message <span class="quote">“<span class="quote">NT_STATUS_LOGON_FAILURE.</span>”</span> There is no current workaround - to re-establish the Samba-2.2 behavior. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id440484"></a> -<a class="indexterm" name="id440491"></a> - When adding machines to a Samba-2.2 controlled domain, the - <span class="quote">“<span class="quote">add user script</span>”</span> was used to create the UNIX identity of the - machine trust account. Samba-3 introduces a new <span class="quote">“<span class="quote">add machine - script</span>”</span> that must be specified for this purpose. Samba-3 will - not fall back to using the <span class="quote">“<span class="quote">add user script</span>”</span> in the absence of - an <span class="quote">“<span class="quote">add machine script</span>”</span>. - </p></li></ol></div></div><div class="sect3" title="Passdb Backends and Authentication"><div class="titlepage"><div><div><h4 class="title"><a name="id440518"></a>Passdb Backends and Authentication</h4></div></div></div><p> - There have been a few new changes that Samba administrators should be - aware of when moving to Samba-3. - </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> -<a class="indexterm" name="id440538"></a> - Encrypted passwords have been enabled by default in order to - interoperate better with out-of-the-box Windows client - installations. This does mean that either (a) a Samba account - must be created for each user, or (b) <span class="quote">“<span class="quote">encrypt passwords = no</span>”</span> - must be explicitly defined in <code class="filename">smb.conf</code>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id440561"></a> -<a class="indexterm" name="id440568"></a> -<a class="indexterm" name="id440574"></a> - Inclusion of new <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = ads</a> option for integration - with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols. - </p></li></ol></div><p> -<a class="indexterm" name="id440598"></a> - Samba-3 also includes the possibility of setting up chains of authentication methods (<a class="link" href="smb.conf.5.html#AUTHMETHODS" target="_top">auth methods</a>) and account storage backends (<a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>). Please refer to - the <code class="filename">smb.conf</code> man page and <a class="link" href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a>, for - details. While both parameters assume sane default values, it is likely that you will need to understand what - the values actually mean in order to ensure Samba operates correctly. - </p><p> -<a class="indexterm" name="id440645"></a> -<a class="indexterm" name="id440652"></a> -<a class="indexterm" name="id440658"></a> - Certain functions of the <code class="literal">smbpasswd</code> tool have been split between the - new <code class="literal">smbpasswd</code> utility, the <code class="literal">net</code> tool, and the new <code class="literal">pdbedit</code> - utility. See the respective man pages for details. - </p></div><div class="sect3" title="LDAP"><div class="titlepage"><div><div><h4 class="title"><a name="id440692"></a>LDAP</h4></div></div></div><p> - This section outlines the new features effecting Samba/LDAP integration. - </p><div class="sect4" title="New Schema"><div class="titlepage"><div><div><h5 class="title"><a name="id440701"></a>New Schema</h5></div></div></div><p> -<a class="indexterm" name="id440709"></a> -<a class="indexterm" name="id440715"></a> -<a class="indexterm" name="id440722"></a> -<a class="indexterm" name="id440729"></a> - A new object class (sambaSamAccount) has been introduced to replace - the old sambaAccount. This change aids in the renaming of attributes - to prevent clashes with attributes from other vendors. There is a - conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF - file to the new schema. - </p><p> - Example: -<a class="indexterm" name="id440742"></a> - </p><pre class="screen"> - <code class="prompt">$ </code>ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif - <code class="prompt">$ </code>convertSambaAccount --sid <DOM SID> --input old.ldif --output new.ldif - </pre><p> -<a class="indexterm" name="id440772"></a> - The <DOM SID> can be obtained by running -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>net getlocalsid <DOMAINNAME></code></strong> -</pre><p> -<a class="indexterm" name="id440798"></a> - on the Samba PDC as root. - </p><p> - Under Samba-2.x the domain SID can be obtained by executing: -<a class="indexterm" name="id440808"></a> -</p><pre class="screen"> -<code class="prompt">$ </code><strong class="userinput"><code>smbpasswd -S <DOMAINNAME></code></strong> -</pre><p> - </p><p> -<a class="indexterm" name="id440834"></a> -<a class="indexterm" name="id440841"></a> -<a class="indexterm" name="id440848"></a> -<a class="indexterm" name="id440855"></a> - The old <code class="literal">sambaAccount</code> schema may still be used by specifying the - <em class="parameter"><code>ldapsam_compat</code></em> passdb backend. However, the sambaAccount and - associated attributes have been moved to the historical section of - the schema file and must be uncommented before use if needed. - The Samba-2.2 object class declaration for a <code class="literal">sambaAccount</code> has not changed - in the Samba-3 <code class="filename">samba.schema</code> file. - </p><p> - Other new object classes and their uses include: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id440898"></a> -<a class="indexterm" name="id440905"></a> -<a class="indexterm" name="id440912"></a> -<a class="indexterm" name="id440918"></a> -<a class="indexterm" name="id440925"></a> -<a class="indexterm" name="id440932"></a> - <code class="literal">sambaDomain</code> domain information used to allocate RIDs - for users and groups as necessary. The attributes are added - in <span class="quote">“<span class="quote">ldap suffix</span>”</span> directory entry automatically if - an idmap UID/GID range has been set and the <span class="quote">“<span class="quote">ldapsam</span>”</span> - passdb backend has been selected. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id440961"></a> -<a class="indexterm" name="id440967"></a> -<a class="indexterm" name="id440974"></a> - sambaGroupMapping an object representing the - relationship between a posixGroup and a Windows - group/SID. These entries are stored in the <span class="quote">“<span class="quote">ldap - group suffix</span>”</span> and managed by the <span class="quote">“<span class="quote">net groupmap</span>”</span> command. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id440997"></a> -<a class="indexterm" name="id441003"></a> -<a class="indexterm" name="id441010"></a> -<a class="indexterm" name="id441017"></a> - <code class="literal">sambaUNIXIdPool</code> created in the <span class="quote">“<span class="quote">ldap idmap suffix</span>”</span> entry - automatically and contains the next available <span class="quote">“<span class="quote">idmap UID</span>”</span> and - <span class="quote">“<span class="quote">idmap GID</span>”</span>. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id441049"></a> -<a class="indexterm" name="id441054"></a> - <code class="literal">sambaIdmapEntry</code> object storing a mapping between a - SID and a UNIX UID/GID. These objects are created by the - idmap_ldap module as needed. - </p></li></ul></div></div><div class="sect4" title="New Suffix for Searching"><div class="titlepage"><div><div><h5 class="title"><a name="id441075"></a>New Suffix for Searching</h5></div></div></div><p> -<a class="indexterm" name="id441083"></a> -<a class="indexterm" name="id441088"></a> -<a class="indexterm" name="id441095"></a> -<a class="indexterm" name="id441102"></a> -<a class="indexterm" name="id441109"></a> -<a class="indexterm" name="id441116"></a> -<a class="indexterm" name="id441122"></a> - The following new <code class="filename">smb.conf</code> parameters have been added to aid in directing - certain LDAP queries when <em class="parameter"><code>passdb backend = ldapsam://...</code></em> has been - specified. - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>ldap suffix used to search for user and computer accounts.</p></li><li class="listitem"><p>ldap user suffix used to store user accounts.</p></li><li class="listitem"><p>ldap machine suffix used to store machine trust accounts.</p></li><li class="listitem"><p>ldap group suffix location of posixGroup/sambaGroupMapping entries.</p></li><li class="listitem"><p>ldap idmap suffix location of sambaIdmapEntry objects.</p></li></ul></div><p> -<a class="indexterm" name="id441187"></a> -<a class="indexterm" name="id441192"></a> - If an <em class="parameter"><code>ldap suffix</code></em> is defined, it will be appended to all of the - remaining subsuffix parameters. In this case, the order of the suffix - listings in <code class="filename">smb.conf</code> is important. Always place the <em class="parameter"><code>ldap suffix</code></em> first - in the list. - </p><p> - Due to a limitation in Samba's <code class="filename">smb.conf</code> parsing, you should not surround - the domain names with quotation marks. - </p></div><div class="sect4" title="IdMap LDAP Support"><div class="titlepage"><div><div><h5 class="title"><a name="id441231"></a>IdMap LDAP Support</h5></div></div></div><p> -<a class="indexterm" name="id441239"></a> - Samba-3 supports an LDAP backend for the idmap subsystem. The - following options inform Samba that the idmap table should be - stored on the directory server <span class="emphasis"><em>onterose</em></span> in the ou=Idmap,dc=quenya,dc=org partition. - </p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td>...</td></tr><tr><td><a class="indexterm" name="id441270"></a><em class="parameter"><code>idmap backend = ldap:ldap://onterose/</code></em></td></tr><tr><td><a class="indexterm" name="id441281"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id441293"></a><em class="parameter"><code>idmap uid = 40000-50000</code></em></td></tr><tr><td><a class="indexterm" name="id441304"></a><em class="parameter"><code>idmap gid = 40000-50000</code></em></td></tr></table><p> -<a class="indexterm" name="id441318"></a> - This configuration allows Winbind installations on multiple servers to - share a UID/GID number space, thus avoiding the interoperability problems - with NFS that were present in Samba-2.2. - </p></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Samba3-HOWTO/winbind.html b/docs/htmldocs/Samba3-HOWTO/winbind.html deleted file mode 100644 index 9bf4641b1e..0000000000 --- a/docs/htmldocs/Samba3-HOWTO/winbind.html +++ /dev/null @@ -1,1033 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Winbind: Use of Domain Accounts</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="VFS.html" title="Chapter 23. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 25. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Winbind: Use of Domain Accounts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 24. Winbind: Use of Domain Accounts"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 24. Winbind: Use of Domain Accounts</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span> <div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Trostel</span></h3><div class="affiliation"><span class="orgname">SNAP<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">June 15, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="winbind.html#id417272">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="winbind.html#id417589">Introduction</a></span></dt><dt><span class="sect1"><a href="winbind.html#id417666">What Winbind Provides</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id417805">Target Uses</a></span></dt><dt><span class="sect2"><a href="winbind.html#id417844">Handling of Foreign SIDs</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id417956">How Winbind Works</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id418004">Microsoft Remote Procedure Calls</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418082">Microsoft Active Directory Services</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418126">Name Service Switch</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418338">Pluggable Authentication Modules</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418479">User and Group ID Allocation</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418546">Result Caching</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id418597">Installation and Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id418602">Introduction</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418709">Requirements</a></span></dt><dt><span class="sect2"><a href="winbind.html#id418852">Testing Things Out</a></span></dt></dl></dd><dt><span class="sect1"><a href="winbind.html#id421094">Conclusion</a></span></dt><dt><span class="sect1"><a href="winbind.html#id421140">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="winbind.html#id421173">NSCD Problem Warning</a></span></dt><dt><span class="sect2"><a href="winbind.html#id421207">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id417272"></a>Features and Benefits</h2></div></div></div><p> -<a class="indexterm" name="id417280"></a> -<a class="indexterm" name="id417286"></a> - Integration of UNIX and Microsoft Windows NT through a unified logon has - been considered a <span class="quote">“<span class="quote">holy grail</span>”</span> in heterogeneous computing environments for - a long time. - </p><p> -<a class="indexterm" name="id417301"></a> -<a class="indexterm" name="id417308"></a> -<a class="indexterm" name="id417315"></a> -<a class="indexterm" name="id417322"></a> - There is one other facility without which UNIX and Microsoft Windows network - interoperability would suffer greatly. It is imperative that there be a - mechanism for sharing files across UNIX systems and to be able to assign - domain user and group ownerships with integrity. - </p><p> -<a class="indexterm" name="id417334"></a> -<a class="indexterm" name="id417343"></a> -<a class="indexterm" name="id417350"></a> -<a class="indexterm" name="id417357"></a> - <span class="emphasis"><em>winbind</em></span> is a component of the Samba suite of programs that - solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft - RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to - allow Windows NT domain users to appear and operate as UNIX users on a UNIX - machine. This chapter describes the Winbind system, the functionality - it provides, how it is configured, and how it works internally. - </p><p> - Winbind provides three separate functions: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> -<a class="indexterm" name="id417380"></a> -<a class="indexterm" name="id417387"></a> - Authentication of user credentials (via PAM). This makes it possible to - log onto a UNIX/Linux system using user and group accounts from a Windows - NT4 (including a Samba domain) or an Active Directory domain. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id417400"></a> -<a class="indexterm" name="id417407"></a> - Identity resolution (via NSS). This is the default when winbind is not used. - </p></li><li class="listitem"><p> -<a class="indexterm" name="id417418"></a> -<a class="indexterm" name="id417425"></a> -<a class="indexterm" name="id417432"></a> -<a class="indexterm" name="id417438"></a> -<a class="indexterm" name="id417445"></a> -<a class="indexterm" name="id417452"></a> - Winbind maintains a database called winbind_idmap.tdb in which it stores - mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only - for users and groups that do not have a local UID/GID. It stores the UID/GID - allocated from the idmap uid/gid range that it has mapped to the NT SID. - If <em class="parameter"><code>idmap backend</code></em> has been specified as <code class="constant">ldap:ldap://hostname[:389]</code>, - then instead of using a local mapping, Winbind will obtain this information - from the LDAP database. - </p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id417477"></a> - <a class="indexterm" name="id417484"></a> -<a class="indexterm" name="id417493"></a> -<a class="indexterm" name="id417500"></a> -<a class="indexterm" name="id417507"></a> -<a class="indexterm" name="id417514"></a> - If <code class="literal">winbindd</code> is not running, smbd (which calls <code class="literal">winbindd</code>) will fall back to - using purely local information from <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> and no dynamic - mapping will be used. On an operating system that has been enabled with the NSS, - the resolution of user and group information will be accomplished via NSS. - </p></div><div class="figure"><a name="winbind_idmap"></a><p class="title"><b>Figure 24.1. Winbind Idmap</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap_winbind_no_loop.png" width="243" alt="Winbind Idmap"></div></div></div><br class="figure-break"></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id417589"></a>Introduction</h2></div></div></div><p>It is well known that UNIX and Microsoft Windows NT have - different models for representing user and group information and - use different technologies for implementing them. This fact has - made it difficult to integrate the two systems in a satisfactory - manner.</p><p> -<a class="indexterm" name="id417602"></a> -<a class="indexterm" name="id417609"></a> - One common solution in use today has been to create - identically named user accounts on both the UNIX and Windows systems - and use the Samba suite of programs to provide file and print services - between the two. This solution is far from perfect, however, because - adding and deleting users on both sets of machines becomes a chore, - and two sets of passwords are required both of which - can lead to synchronization problems between the UNIX and Windows - systems and confusion for users.</p><p>We divide the unified logon problem for UNIX machines into - three smaller problems:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Obtaining Windows NT user and group information. - </p></li><li class="listitem"><p>Authenticating Windows NT users. - </p></li><li class="listitem"><p>Password changing for Windows NT users. - </p></li></ul></div><p> -<a class="indexterm" name="id417648"></a> -<a class="indexterm" name="id417654"></a> - Ideally, a prospective solution to the unified logon problem - would satisfy all the above components without duplication of - information on the UNIX machines and without creating additional - tasks for the system administrator when maintaining users and - groups on either system. The Winbind system provides a simple - and elegant solution to all three components of the unified logon - problem.</p></div><div class="sect1" title="What Winbind Provides"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id417666"></a>What Winbind Provides</h2></div></div></div><p> -<a class="indexterm" name="id417674"></a> -<a class="indexterm" name="id417681"></a> -<a class="indexterm" name="id417688"></a> -<a class="indexterm" name="id417695"></a> - Winbind unifies UNIX and Windows NT account management by - allowing a UNIX box to become a full member of an NT domain. Once - this is done, the UNIX box will see NT users and groups as if - they were <span class="quote">“<span class="quote">native</span>”</span> UNIX users and groups, allowing the NT domain - to be used in much the same manner that NIS+ is used within - UNIX-only environments.</p><p> -<a class="indexterm" name="id417711"></a> -<a class="indexterm" name="id417718"></a> -<a class="indexterm" name="id417725"></a> -<a class="indexterm" name="id417731"></a> - The end result is that whenever a - program on the UNIX machine asks the operating system to look up - a user or group name, the query will be resolved by asking the - NT domain controller for the specified domain to do the lookup. - Because Winbind hooks into the operating system at a low level - (via the NSS name resolution modules in the C library), this - redirection to the NT domain controller is completely - transparent.</p><p> -<a class="indexterm" name="id417745"></a> -<a class="indexterm" name="id417752"></a> - Users on the UNIX machine can then use NT user and group - names as they would <span class="quote">“<span class="quote">native</span>”</span> UNIX names. They can chown files - so they are owned by NT domain users or even login to the - UNIX machine and run a UNIX X Window session as a domain user.</p><p> -<a class="indexterm" name="id417768"></a> - The only obvious indication that Winbind is being used is - that user and group names take the form <code class="constant">DOMAIN\user</code> and - <code class="constant">DOMAIN\group</code>. This is necessary because it allows Winbind to determine - that redirection to a domain controller is wanted for a particular - lookup and which trusted domain is being referenced.</p><p> -<a class="indexterm" name="id417787"></a> -<a class="indexterm" name="id417794"></a> - Additionally, Winbind provides an authentication service that hooks into the PAM system - to provide authentication via an NT domain to any PAM-enabled - applications. This capability solves the problem of synchronizing - passwords between systems, since all passwords are stored in a single - location (on the domain controller).</p><div class="sect2" title="Target Uses"><div class="titlepage"><div><div><h3 class="title"><a name="id417805"></a>Target Uses</h3></div></div></div><p> -<a class="indexterm" name="id417813"></a> - Winbind is targeted at organizations that have an - existing NT-based domain infrastructure into which they wish - to put UNIX workstations or servers. Winbind will allow these - organizations to deploy UNIX workstations without having to - maintain a separate account infrastructure. This greatly - simplifies the administrative overhead of deploying UNIX - workstations into an NT-based organization.</p><p> -<a class="indexterm" name="id417826"></a> -<a class="indexterm" name="id417833"></a> - Another interesting way in which we expect Winbind to - be used is as a central part of UNIX-based appliances. Appliances - that provide file and print services to Microsoft-based networks - will be able to use Winbind to provide seamless integration of - the appliance into the domain.</p></div><div class="sect2" title="Handling of Foreign SIDs"><div class="titlepage"><div><div><h3 class="title"><a name="id417844"></a>Handling of Foreign SIDs</h3></div></div></div><p> -<a class="indexterm" name="id417852"></a> - The term <span class="emphasis"><em>foreign SID</em></span> is often met with the reaction that it - is not relevant to a particular environment. The following documents an interchange - that took place on the Samba mailing list. It is a good example of the confusion - often expressed regarding the use of winbind. - </p><p> -<a class="indexterm" name="id417868"></a> - Fact: Winbind is needed to handle users who use workstations that are NOT part - of the local domain. - </p><p> -<a class="indexterm" name="id417879"></a> - Response: <span class="quote">“<span class="quote">Why? I've used Samba with workstations that are not part of my domains - lots of times without using winbind. I thought winbind was for using Samba as a member server - in a domain controlled by another Samba/Windows PDC.</span>”</span> - </p><p> -<a class="indexterm" name="id417895"></a> -<a class="indexterm" name="id417901"></a> -<a class="indexterm" name="id417908"></a> - If the Samba server will be accessed from a domain other than the local Samba domain, or - if there will be access from machines that are not local domain members, winbind will - permit the allocation of UIDs and GIDs from the assigned pool that will keep the identity - of the foreign user separate from users that are members of the Samba domain. - </p><p> -<a class="indexterm" name="id417921"></a> -<a class="indexterm" name="id417927"></a> -<a class="indexterm" name="id417934"></a> -<a class="indexterm" name="id417941"></a> - This means that winbind is eminently useful in cases where a single - Samba PDC on a local network is combined with both domain member and domain non-member workstations. - If winbind is not used, the user george on a Windows workstation that is not a domain - member will be able to access the files of a user called george in the account database - of the Samba server that is acting as a PDC. When winbind is used, the default condition - is that the local user george will be treated as the account DOMAIN\george and the - foreign (non-member of the domain) account will be treated as MACHINE\george because - each has a different SID. - </p></div></div><div class="sect1" title="How Winbind Works"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id417956"></a>How Winbind Works</h2></div></div></div><p> -<a class="indexterm" name="id417964"></a> -<a class="indexterm" name="id417971"></a> -<a class="indexterm" name="id417978"></a> -<a class="indexterm" name="id417984"></a> - The Winbind system is designed around a client/server - architecture. A long-running <code class="literal">winbindd</code> daemon - listens on a UNIX domain socket waiting for requests - to arrive. These requests are generated by the NSS and PAM - clients and are processed sequentially.</p><p>The technologies used to implement Winbind are described - in detail below.</p><div class="sect2" title="Microsoft Remote Procedure Calls"><div class="titlepage"><div><div><h3 class="title"><a name="id418004"></a>Microsoft Remote Procedure Calls</h3></div></div></div><p> -<a class="indexterm" name="id418012"></a> -<a class="indexterm" name="id418021"></a> -<a class="indexterm" name="id418028"></a> -<a class="indexterm" name="id418034"></a> -<a class="indexterm" name="id418041"></a> - Over the last few years, efforts have been underway by various Samba Team members to implement various aspects of - the Microsoft Remote Procedure Call (MSRPC) system. This system is used for most network-related operations - between Windows NT machines, including remote management, user authentication, and print spooling. Although - initially this work was done to aid the implementation of Primary Domain Controller (PDC) functionality in - Samba, it has also yielded a body of code that can be used for other purposes. - </p><p> -<a class="indexterm" name="id418056"></a> -<a class="indexterm" name="id418063"></a> -<a class="indexterm" name="id418069"></a> - Winbind uses various MSRPC calls to enumerate domain users and groups and to obtain detailed information about - individual users or groups. Other MSRPC calls can be used to authenticate NT domain users and to change user - passwords. By directly querying a Windows PDC for user and group information, Winbind maps the NT account - information onto UNIX user and group names. - </p></div><div class="sect2" title="Microsoft Active Directory Services"><div class="titlepage"><div><div><h3 class="title"><a name="id418082"></a>Microsoft Active Directory Services</h3></div></div></div><p> -<a class="indexterm" name="id418090"></a> -<a class="indexterm" name="id418096"></a> -<a class="indexterm" name="id418103"></a> -<a class="indexterm" name="id418110"></a> - Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using its <span class="quote">“<span class="quote">native - mode</span>”</span> protocols rather than the NT4 RPC services. Using LDAP and Kerberos, a domain member running - Winbind can enumerate users and groups in exactly the same way as a Windows 200x client would, and in so doing - provide a much more efficient and effective Winbind implementation. - </p></div><div class="sect2" title="Name Service Switch"><div class="titlepage"><div><div><h3 class="title"><a name="id418126"></a>Name Service Switch</h3></div></div></div><p> -<a class="indexterm" name="id418134"></a> -<a class="indexterm" name="id418140"></a> -<a class="indexterm" name="id418147"></a> -<a class="indexterm" name="id418153"></a> - The NSS is a feature that is present in many UNIX operating systems. It allows system - information such as hostnames, mail aliases, and user information - to be resolved from different sources. For example, a standalone - UNIX workstation may resolve system information from a series of - flat files stored on the local file system. A networked workstation - may first attempt to resolve system information from local files, - and then consult an NIS database for user information or a DNS server - for hostname information.</p><p> -<a class="indexterm" name="id418168"></a> -<a class="indexterm" name="id418174"></a> -<a class="indexterm" name="id418181"></a> -<a class="indexterm" name="id418188"></a> -<a class="indexterm" name="id418195"></a> - The NSS application programming interface allows Winbind to present itself as a source of system - information when resolving UNIX usernames and groups. Winbind uses this interface and information obtained - from a Windows NT server using MSRPC calls to provide a new source of account enumeration. Using standard UNIX - library calls, you can enumerate the users and groups on a UNIX machine running Winbind and see all users and - groups in an NT domain plus any trusted domain as though they were local users and groups. - </p><p> -<a class="indexterm" name="id418209"></a> -<a class="indexterm" name="id418216"></a> -<a class="indexterm" name="id418222"></a> - The primary control file for NSS is <code class="filename">/etc/nsswitch.conf</code>. When a UNIX application - makes a request to do a lookup, the C library looks in <code class="filename">/etc/nsswitch.conf</code> for a line that - matches the service type being requested; for example, the <span class="quote">“<span class="quote">passwd</span>”</span> service type is used when - user or group names are looked up. This config line specifies which implementations of that service should be - tried and in what order. If the passwd config line is: -</p><pre class="screen"> -passwd: files example -</pre><p> -<a class="indexterm" name="id418254"></a> -<a class="indexterm" name="id418260"></a> -<a class="indexterm" name="id418267"></a> - then the C library will first load a module called <code class="filename">/lib/libnss_files.so</code> followed - by the module <code class="filename">/lib/libnss_example.so</code>. The C library will dynamically load each of these - modules in turn and call resolver functions within the modules to try to resolve the request. Once the request - is resolved, the C library returns the result to the application. - </p><p> -<a class="indexterm" name="id418292"></a> -<a class="indexterm" name="id418298"></a> -<a class="indexterm" name="id418305"></a> - This NSS interface provides an easy way for Winbind to hook into the operating system. All that needs - to be done is to put <code class="filename">libnss_winbind.so</code> in <code class="filename">/lib/</code> then add - <span class="quote">“<span class="quote">winbind</span>”</span> into <code class="filename">/etc/nsswitch.conf</code> at the appropriate place. The C library - will then call Winbind to resolve user and group names. - </p></div><div class="sect2" title="Pluggable Authentication Modules"><div class="titlepage"><div><div><h3 class="title"><a name="id418338"></a>Pluggable Authentication Modules</h3></div></div></div><p> -<a class="indexterm" name="id418346"></a> -<a class="indexterm" name="id418352"></a> -<a class="indexterm" name="id418359"></a> -<a class="indexterm" name="id418366"></a> - PAMs provide a system for abstracting authentication and authorization technologies. With a PAM - module, it is possible to specify different authentication methods for different system applications without - having to recompile these applications. PAM is also useful for implementing a particular policy for - authorization. For example, a system administrator may only allow console logins from users stored in the - local password file but only allow users resolved from an NIS database to log in over the network. - </p><p> -<a class="indexterm" name="id418380"></a> -<a class="indexterm" name="id418387"></a> -<a class="indexterm" name="id418394"></a> -<a class="indexterm" name="id418400"></a> -<a class="indexterm" name="id418407"></a> - Winbind uses the authentication management and password management PAM interface to integrate Windows - NT users into a UNIX system. This allows Windows NT users to log in to a UNIX machine and be authenticated - against a suitable PDC. These users can also change their passwords and have this change take effect directly - on the PDC. - </p><p> -<a class="indexterm" name="id418420"></a> -<a class="indexterm" name="id418426"></a> -<a class="indexterm" name="id418433"></a> -<a class="indexterm" name="id418440"></a> - PAM is configured by providing control files in the directory <code class="filename">/etc/pam.d/</code> for - each of the services that require authentication. When an authentication request is made by an application, - the PAM code in the C library looks up this control file to determine what modules to load to do the - authentication check and in what order. This interface makes adding a new authentication service for Winbind - very easy: simply copy the <code class="filename">pam_winbind.so</code> module to <code class="filename">/lib/security/</code>, - and the PAM control files for relevant services are updated to allow authentication via Winbind. See the PAM - documentation in <a class="link" href="pam.html" title="Chapter 28. PAM-Based Distributed Authentication">PAM-Based Distributed Authentication</a>, for more information. - </p></div><div class="sect2" title="User and Group ID Allocation"><div class="titlepage"><div><div><h3 class="title"><a name="id418479"></a>User and Group ID Allocation</h3></div></div></div><p> -<a class="indexterm" name="id418486"></a> -<a class="indexterm" name="id418493"></a> -<a class="indexterm" name="id418500"></a> - When a user or group is created under Windows NT/200x, it is allocated a numerical relative identifier - (RID). This is slightly different from UNIX, which has a range of numbers that are used to identify users and - the same range used to identify groups. It is Winbind's job to convert RIDs to UNIX ID numbers and vice versa. - When Winbind is configured, it is given part of the UNIX user ID space and a part of the UNIX group ID space - in which to store Windows NT users and groups. If a Windows NT user is resolved for the first time, it is - allocated the next UNIX ID from the range. The same process applies for Windows NT groups. Over time, Winbind - will have mapped all Windows NT users and groups to UNIX user IDs and group IDs. - </p><p> -<a class="indexterm" name="id418516"></a> -<a class="indexterm" name="id418523"></a> -<a class="indexterm" name="id418529"></a> -<a class="indexterm" name="id418536"></a> - The results of this mapping are stored persistently in an ID mapping database held in a tdb database. - This ensures that RIDs are mapped to UNIX IDs in a consistent way. - </p></div><div class="sect2" title="Result Caching"><div class="titlepage"><div><div><h3 class="title"><a name="id418546"></a>Result Caching</h3></div></div></div><p> -<a class="indexterm" name="id418554"></a> -<a class="indexterm" name="id418561"></a> -<a class="indexterm" name="id418567"></a> -<a class="indexterm" name="id418574"></a> -<a class="indexterm" name="id418581"></a> - An active directory system can generate a lot of user and group name lookups. To reduce the network - cost of these lookups, Winbind uses a caching scheme based on the SAM sequence number supplied by NT domain - controllers. User or group information returned by a PDC is cached by Winbind along with a sequence number - also returned by the PDC. This sequence number is incremented by Windows NT whenever any user or group - information is modified. If a cached entry has expired, the sequence number is requested from the PDC and - compared against the sequence number of the cached entry. If the sequence numbers do not match, then the - cached information is discarded and up-to-date information is requested directly from the PDC. - </p></div></div><div class="sect1" title="Installation and Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id418597"></a>Installation and Configuration</h2></div></div></div><div class="sect2" title="Introduction"><div class="titlepage"><div><div><h3 class="title"><a name="id418602"></a>Introduction</h3></div></div></div><p> -<a class="indexterm" name="id418610"></a> -<a class="indexterm" name="id418617"></a> -<a class="indexterm" name="id418624"></a> -This section describes the procedures used to get Winbind up and running. Winbind is capable of providing -access and authentication control for Windows Domain users through an NT or Windows 200x PDC for regular -services, such as telnet and ftp, as well for Samba services. -</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - <span class="emphasis"><em>Why should I do this?</em></span> - </p><p> -<a class="indexterm" name="id418647"></a> -<a class="indexterm" name="id418654"></a> -<a class="indexterm" name="id418661"></a> -<a class="indexterm" name="id418667"></a> -This allows the Samba administrator to rely on the authentication mechanisms on the Windows NT/200x PDC -for the authentication of domain members. Windows NT/200x users no longer need to have separate accounts on -the Samba server. - </p></li><li class="listitem"><p> - <span class="emphasis"><em>Who should be reading this document?</em></span> - </p><p> -<a class="indexterm" name="id418690"></a> -<a class="indexterm" name="id418696"></a> -This document is designed for system administrators. If you are implementing Samba on a file server and wish -to (fairly easily) integrate existing Windows NT/200x users from your PDC onto the Samba server, this document -is for you. - </p></li></ul></div></div><div class="sect2" title="Requirements"><div class="titlepage"><div><div><h3 class="title"><a name="id418709"></a>Requirements</h3></div></div></div><p> -<a class="indexterm" name="id418717"></a> -<a class="indexterm" name="id418724"></a> -<a class="indexterm" name="id418730"></a> -If you have a Samba configuration file that you are currently using, <span class="emphasis"><em>BACK IT UP!</em></span> -If your system already uses PAM, <span class="emphasis"><em>back up the <code class="filename">/etc/pam.d</code> directory -contents!</em></span> If you haven't already made a boot disk, <span class="emphasis"><em>MAKE ONE NOW!</em></span> -</p><p> -<a class="indexterm" name="id418758"></a> -<a class="indexterm" name="id418765"></a> -<a class="indexterm" name="id418772"></a> -Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's -why you want to be able to boot back into your machine in single-user mode and restore your -<code class="filename">/etc/pam.d</code> to the original state it was in if you get frustrated with the -way things are going. -</p><p> -<a class="indexterm" name="id418790"></a> -<a class="indexterm" name="id418797"></a> -The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <a class="ulink" href="http://samba.org/" target="_top">main Samba Web page</a>, or better yet, your closest Samba mirror site for -instructions on downloading the source code. -</p><p> -<a class="indexterm" name="id418815"></a> -<a class="indexterm" name="id418821"></a> -<a class="indexterm" name="id418828"></a> -<a class="indexterm" name="id418835"></a> -To allow domain users the ability to access Samba shares and files, as well as potentially other services -provided by your Samba machine, PAM must be set up properly on your -machine. In order to compile the Winbind modules, the PAM development libraries should be installed -on your system. Please refer to the <a class="ulink" href="http://www.kernel.org/pub/linux/libs/pam/" target="_top">PAM Web Site</a>. -</p></div><div class="sect2" title="Testing Things Out"><div class="titlepage"><div><div><h3 class="title"><a name="id418852"></a>Testing Things Out</h3></div></div></div><p> -<a class="indexterm" name="id418860"></a> -<a class="indexterm" name="id418867"></a> -<a class="indexterm" name="id418874"></a> -<a class="indexterm" name="id418880"></a> -<a class="indexterm" name="id418887"></a> -Before starting, it is probably best to kill off all the Samba-related daemons running on your server. -Kill off all <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may be running. To use PAM, -make sure that you have the standard PAM package that supplies the <code class="filename">/etc/pam.d</code> -directory structure, including the PAM modules that are used by PAM-aware services, several PAM libraries, -and the <code class="filename">/usr/doc</code> and <code class="filename">/usr/man</code> entries for PAM. Winbind is built -better in Samba if the pam-devel package is also installed. This package includes the header files -needed to compile PAM-aware applications. -</p><div class="sect3" title="Configure nsswitch.conf and the Winbind Libraries on Linux and Solaris"><div class="titlepage"><div><div><h4 class="title"><a name="id418935"></a>Configure <code class="filename">nsswitch.conf</code> and the Winbind Libraries on Linux and Solaris</h4></div></div></div><p> -<a class="indexterm" name="id418949"></a> -<a class="indexterm" name="id418955"></a> -<a class="indexterm" name="id418962"></a> -<a class="indexterm" name="id418969"></a> -PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install -the <code class="filename">pam-devel</code> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3 -may auto-install the Winbind files into their correct locations on your system, so before you get too far down -the track, be sure to check if the following configuration is really -necessary. You may only need to configure -<code class="filename">/etc/nsswitch.conf</code>. -</p><p> -The libraries needed to run the <span class="application">winbindd</span> daemon through nsswitch need to be copied to their proper locations: -</p><p> -<a class="indexterm" name="id419004"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cp ../samba/source/nsswitch/libnss_winbind.so /lib</code></strong> -</pre><p> -</p><p> -I also found it necessary to make the following symbolic link: -</p><p> -<code class="prompt">root# </code> <strong class="userinput"><code>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</code></strong> -</p><p>And, in the case of Sun Solaris: -<a class="indexterm" name="id419049"></a> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</code></strong> -<code class="prompt">root# </code><strong class="userinput"><code>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</code></strong> -</pre><p> -</p><p> -<a class="indexterm" name="id419097"></a> -As root, edit <code class="filename">/etc/nsswitch.conf</code> to allow user and group entries to be visible from the -<span class="application">winbindd</span> daemon. My <code class="filename">/etc/nsswitch.conf</code> file looked like this after editing: -</p><pre class="programlisting"> -passwd: files winbind -shadow: files -group: files winbind -</pre><p> -<a class="indexterm" name="id419131"></a> -<a class="indexterm" name="id419138"></a> -<a class="indexterm" name="id419145"></a> -<a class="indexterm" name="id419151"></a> -<a class="indexterm" name="id419158"></a> -The libraries needed by the <code class="literal">winbindd</code> daemon will be automatically -entered into the <code class="literal">ldconfig</code> cache the next time -your system reboots, but it is faster (and you do not need to reboot) if you do it manually: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/sbin/ldconfig -v | grep winbind</code></strong> -</pre><p> -This makes <code class="filename">libnss_winbind</code> available to winbindd and reports the current -search path that is used by the dynamic link loader. The use of the <code class="literal">grep</code> -filters the output of the <code class="literal">ldconfig</code> command so that we may see proof that -this library is indeed recognized by the dynamic link loader. -</p><p> -<a class="indexterm" name="id419218"></a> -<a class="indexterm" name="id419224"></a> -<a class="indexterm" name="id419231"></a> -<a class="indexterm" name="id419238"></a> -<a class="indexterm" name="id419245"></a> -The Sun Solaris dynamic link loader management tool is called <code class="literal">crle</code>. The -use of this tool is necessary to instruct the dynamic link loader to search directories that -contain library files that were not supplied as part of the original operating system platform. -The following example shows how to use this tool to add the directory <code class="filename">/usr/local/lib</code> -to the dynamic link loader's search path: -</p><pre class="screen"> -<code class="prompt">root# </code> crle -u -l /usr/lib:/usr/local/lib -</pre><p> -When executed without arguments, <code class="literal">crle</code> reports the current dynamic -link loader configuration. This is demonstrated here: -</p><pre class="screen"> -<code class="prompt">root# </code> crle - -Configuration file [version 4]: /var/ld/ld.config - Default Library Path (ELF): /lib:/usr/lib:/usr/local/lib - Trusted Directories (ELF): /lib/secure:/usr/lib/secure (system default) - -Command line: - crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib -</pre><p> -From this it is apparent that the <code class="filename">/usr/local/lib</code> directory is included -in the search dynamic link libraries in order to satisfy object module dependencies. -</p></div><div class="sect3" title="NSS Winbind on AIX"><div class="titlepage"><div><div><h4 class="title"><a name="id419308"></a>NSS Winbind on AIX</h4></div></div></div><p>(This section is only for those running AIX.)</p><p> -<a class="indexterm" name="id419320"></a> -<a class="indexterm" name="id419326"></a> -<a class="indexterm" name="id419333"></a> -<a class="indexterm" name="id419340"></a> -<a class="indexterm" name="id419347"></a> -<a class="indexterm" name="id419354"></a> -The Winbind AIX identification module gets built as <code class="filename">libnss_winbind.so</code> in the -nsswitch directory of the Samba source. This file can be copied to <code class="filename">/usr/lib/security</code>, -and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following: -</p><pre class="programlisting"> -WINBIND: - program = /usr/lib/security/WINBIND - options = authonly -</pre><p> -can then be added to <code class="filename">/usr/lib/security/methods.cfg</code>. This module only supports -identification, but there have been reports of success using the standard Winbind PAM module for -authentication. Use caution configuring loadable authentication modules, since misconfiguration can make -it impossible to log on to the system. Information regarding the AIX authentication module API can -be found in the <span class="quote">“<span class="quote">Kernel Extensions and Device Support Programming Concepts for AIX</span>”</span> document that -describes the <a class="ulink" href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm" target="_top"> -Loadable Authentication Module Programming Interface</a> for AIX. Further information on administering the modules -can be found in the <a class="ulink" href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm" target="_top">System -Management Guide: Operating System and Devices.</a> -</p></div><div class="sect3" title="Configure smb.conf"><div class="titlepage"><div><div><h4 class="title"><a name="id419410"></a>Configure smb.conf</h4></div></div></div><p> -<a class="indexterm" name="id419418"></a> -<a class="indexterm" name="id419425"></a> -<a class="indexterm" name="id419432"></a> -Several parameters are needed in the <code class="filename">smb.conf</code> file to control the behavior of <span class="application">winbindd</span>. These -are described in more detail in the <a class="citerefentry" href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> man page. My <code class="filename">smb.conf</code> file, as shown in <a class="link" href="winbind.html#winbindcfg" title="Example 24.1. smb.conf for Winbind Setup">the smb.conf for Winbind Setup</a>, was modified to include the necessary entries in the [global] section. -</p><div class="example"><a name="winbindcfg"></a><p class="title"><b>Example 24.1. smb.conf for Winbind Setup</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td># separate domain and username with '\', like DOMAIN\username</td></tr><tr><td><a class="indexterm" name="id419503"></a><em class="parameter"><code>winbind separator = \</code></em></td></tr><tr><td># use uids from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id419518"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td># use gids from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id419533"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id419548"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id419560"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td># give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><a class="indexterm" name="id419576"></a><em class="parameter"><code>template homedir = /home/winnt/%D/%U</code></em></td></tr><tr><td><a class="indexterm" name="id419587"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" title="Join the Samba Server to the PDC Domain"><div class="titlepage"><div><div><h4 class="title"><a name="id419601"></a>Join the Samba Server to the PDC Domain</h4></div></div></div><p> -<a class="indexterm" name="id419609"></a> -<a class="indexterm" name="id419616"></a> -<a class="indexterm" name="id419622"></a> -All machines that will participate in domain security should be members of -the domain. This applies also to the PDC and all BDCs. -</p><p> -<a class="indexterm" name="id419633"></a> -<a class="indexterm" name="id419640"></a> -<a class="indexterm" name="id419647"></a> -<a class="indexterm" name="id419658"></a> -<a class="indexterm" name="id419665"></a> -<a class="indexterm" name="id419671"></a> -<a class="indexterm" name="id419678"></a> -<a class="indexterm" name="id419685"></a> -<a class="indexterm" name="id419692"></a> -The process of joining a domain requires the use of the <code class="literal">net rpc join</code> -command. This process communicates with the domain controller it will register with -(usually the PDC) via MS DCE RPC. This means, of course, that the <code class="literal">smbd</code> -process must be running on the target domain controller. It is therefore necessary to temporarily -start Samba on a PDC so that it can join its own domain. -</p><p> -<a class="indexterm" name="id419716"></a> -<a class="indexterm" name="id419723"></a> -<a class="indexterm" name="id419730"></a> -Enter the following command to make the Samba server join the domain, where <em class="replaceable"><code>PDC</code></em> is -the name of your PDC and <em class="replaceable"><code>Administrator</code></em> is a domain user who has administrative -privileges in the domain. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id419749"></a> -<a class="indexterm" name="id419756"></a> -<a class="indexterm" name="id419763"></a> -<a class="indexterm" name="id419769"></a> -Before attempting to join a machine to the domain, verify that Samba is running -on the target domain controller (usually PDC) and that it is capable of being reached via ports -137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx). -</p></div><p> -<a class="indexterm" name="id419782"></a> -The use of the <code class="literal">net rpc join</code> facility is shown here: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</code></strong> -</pre><p> -The proper response to the command should be <span class="quote">“<span class="quote">Joined the domain -<em class="replaceable"><code>DOMAIN</code></em></span>”</span> where <em class="replaceable"><code>DOMAIN</code></em> -is your domain name. -</p></div><div class="sect3" title="Starting and Testing the winbindd Daemon"><div class="titlepage"><div><div><h4 class="title"><a name="id419828"></a>Starting and Testing the <code class="literal">winbindd</code> Daemon</h4></div></div></div><p> -<a class="indexterm" name="id419842"></a> -<a class="indexterm" name="id419849"></a> -<a class="indexterm" name="id419855"></a> -Eventually, you will want to modify your Samba startup script to automatically invoke the winbindd daemon when -the other parts of Samba start, but it is possible to test out just the Winbind portion first. To start up -Winbind services, enter the following command as root: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/sbin/winbindd</code></strong> -</pre><p> -Use the appropriate path to the location of the <code class="literal">winbindd</code> executable file. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id419891"></a> -<a class="indexterm" name="id419898"></a> -The command to start up Winbind services assumes that Samba has been installed in the -<code class="filename">/usr/local/samba</code> directory tree. You may need to search for the location of Samba files -if this is not the location of <code class="literal">winbindd</code> on your system. -</p></div><p> -<a class="indexterm" name="id419922"></a> -<a class="indexterm" name="id419928"></a> -I'm always paranoid and like to make sure the daemon is really running. -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>ps -ae | grep winbindd</code></strong> -</pre><p> -</p><p> -<a class="indexterm" name="id419955"></a> -This command should produce output like the following if the daemon is running. -</p><pre class="screen"> -3025 ? 00:00:00 winbindd -</pre><p> -</p><p> -<a class="indexterm" name="id419972"></a> -<a class="indexterm" name="id419978"></a> -Now, for the real test, try to get some information about the users on your PDC: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/bin/wbinfo -u</code></strong> -</pre><p> -This should echo back a list of users on your Windows users on your PDC. For example, I get the following -response: -</p><pre class="screen"> -CEO\Administrator -CEO\burdell -CEO\Guest -CEO\jt-ad -CEO\krbtgt -CEO\TsInternetUser -</pre><p> -Obviously, I have named my domain <span class="quote">“<span class="quote">CEO</span>”</span> and my <a class="link" href="smb.conf.5.html#WINBINDSEPARATOR" target="_top">winbind separator</a> is -<span class="quote">“<span class="quote">\</span>”</span>. -</p><p> -<a class="indexterm" name="id420032"></a> -<a class="indexterm" name="id420039"></a> -You can do the same sort of thing to get group information from the PDC: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>/usr/local/samba/bin/wbinfo -g</code></strong> -CEO\Domain Admins -CEO\Domain Users -CEO\Domain Guests -CEO\Domain Computers -CEO\Domain Controllers -CEO\Cert Publishers -CEO\Schema Admins -CEO\Enterprise Admins -CEO\Group Policy Creator Owners -</pre><p> -<a class="indexterm" name="id420066"></a> -<a class="indexterm" name="id420072"></a> -<a class="indexterm" name="id420079"></a> -<a class="indexterm" name="id420086"></a> -<a class="indexterm" name="id420092"></a> -<a class="indexterm" name="id420099"></a> -<a class="indexterm" name="id420106"></a> -The function <code class="literal">getent</code> can now be used to get unified lists of both local and PDC users and -groups. Try the following command: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>getent passwd</code></strong> -</pre><p> -You should get a list that looks like your <code class="filename">/etc/passwd</code> -list followed by the domain users with their new UIDs, GIDs, home -directories, and default shells. -</p><p> -The same thing can be done for groups with the command: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>getent group</code></strong> -</pre><p> -</p></div><div class="sect3" title="Fix the init.d Startup Scripts"><div class="titlepage"><div><div><h4 class="title"><a name="id420164"></a>Fix the init.d Startup Scripts</h4></div></div></div><div class="sect4" title="Linux"><div class="titlepage"><div><div><h5 class="title"><a name="id420170"></a>Linux</h5></div></div></div><p> -<a class="indexterm" name="id420178"></a> -<a class="indexterm" name="id420185"></a> -<a class="indexterm" name="id420191"></a> -<a class="indexterm" name="id420198"></a> -<a class="indexterm" name="id420205"></a> -<a class="indexterm" name="id420212"></a> -The <span class="application">winbindd</span> daemon needs to start up after the <span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running. To accomplish this -task, you need to modify the startup scripts of your system. They are located at -<code class="filename">/etc/init.d/smb</code> in Red Hat Linux and in <code class="filename">/etc/init.d/samba</code> in Debian -Linux. Edit your script to add commands to invoke this daemon in the proper sequence. My startup script starts -up <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> from the <code class="filename">/usr/local/samba/bin</code> directory directly. The -<code class="literal">start</code> function in the script looks like this: -</p><pre class="programlisting"> -start() { - KIND="SMB" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/smbd $SMBDOPTIONS - RETVAL=$? - echo - KIND="NMB" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS - RETVAL2=$? - echo - KIND="Winbind" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/sbin/winbindd - RETVAL3=$? - echo - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ - touch /var/lock/subsys/smb || RETVAL=1 - return $RETVAL -} -</pre><p>If you would like to run winbindd in dual daemon mode, replace the line: -</p><pre class="programlisting"> - daemon /usr/local/samba/sbin/winbindd -</pre><p> - -in the example above with: - -</p><pre class="programlisting"> - daemon /usr/local/samba/sbin/winbindd -D -</pre><p>. -</p><p> -The <code class="literal">stop</code> function has a corresponding entry to shut down the services and looks like this: -</p><pre class="programlisting"> -stop() { - KIND="SMB" - echo -n $"Shutting down $KIND services: " - killproc smbd - RETVAL=$? - echo - KIND="NMB" - echo -n $"Shutting down $KIND services: " - killproc nmbd - RETVAL2=$? - echo - KIND="Winbind" - echo -n $"Shutting down $KIND services: " - killproc winbindd - RETVAL3=$? - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ - rm -f /var/lock/subsys/smb - echo "" - return $RETVAL -} -</pre></div><div class="sect4" title="Solaris"><div class="titlepage"><div><div><h5 class="title"><a name="id420337"></a>Solaris</h5></div></div></div><p> -Winbind does not work on Solaris 9; see <a class="link" href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Winbind on Solaris 9 section</a> -for details. -</p><p> -<a class="indexterm" name="id420356"></a> -<a class="indexterm" name="id420363"></a> -<a class="indexterm" name="id420370"></a> -<a class="indexterm" name="id420377"></a> -<a class="indexterm" name="id420384"></a> -<a class="indexterm" name="id420390"></a> -On Solaris, you need to modify the <code class="filename">/etc/init.d/samba.server</code> startup script. It -usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in -<code class="filename">/usr/local/samba/bin</code>, the file could contains something like this: -</p><p> - </p><pre class="programlisting"> - ## - ## samba.server - ## - - if [ ! -d /usr/bin ] - then # /usr not mounted - exit - fi - - killproc() { # kill the named process(es) - pid=`/usr/bin/ps -e | - /usr/bin/grep -w $1 | - /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid - } - - # Start/stop processes required for Samba server - - case "$1" in - - 'start') - # - # Edit these lines to suit your installation (paths, workgroup, host) - # - echo Starting SMBD - /usr/local/samba/bin/smbd -D -s \ - /usr/local/samba/smb.conf - - echo Starting NMBD - /usr/local/samba/bin/nmbd -D -l \ - /usr/local/samba/var/log -s /usr/local/samba/smb.conf - - echo Starting Winbind Daemon - /usr/local/samba/sbin/winbindd - ;; - - 'stop') - killproc nmbd - killproc smbd - killproc winbindd - ;; - - *) - echo "Usage: /etc/init.d/samba.server { start | stop }" - ;; - esac -</pre><p> -Again, if you would like to run winbindd in dual daemon mode, replace: -</p><pre class="programlisting"> -/usr/local/samba/sbin/winbindd -</pre><p> -in the script above with: -</p><pre class="programlisting"> -/usr/local/samba/sbin/winbindd -D -</pre><p> -</p></div><div class="sect4" title="Restarting"><div class="titlepage"><div><div><h5 class="title"><a name="id420456"></a>Restarting</h5></div></div></div><p> -<a class="indexterm" name="id420464"></a> -<a class="indexterm" name="id420471"></a> -If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you -should be able to connect to the Samba server as a domain member just as -if you were a local user. -</p></div></div><div class="sect3" title="Configure Winbind and PAM"><div class="titlepage"><div><div><h4 class="title"><a name="id420500"></a>Configure Winbind and PAM</h4></div></div></div><p> -<a class="indexterm" name="id420508"></a> -<a class="indexterm" name="id420514"></a> -<a class="indexterm" name="id420521"></a> -<a class="indexterm" name="id420528"></a> -If you have made it this far, you know that <code class="literal">winbindd</code> and Samba are working together. If you -want to use Winbind to provide authentication for other services, keep reading. The PAM configuration files -need to be altered in this step. (Did you remember to make backups of your original -<code class="filename">/etc/pam.d</code> files? If not, do it now.) -</p><p> -<a class="indexterm" name="id420552"></a> -<a class="indexterm" name="id420559"></a> -<a class="indexterm" name="id420566"></a> -<a class="indexterm" name="id420572"></a> -<a class="indexterm" name="id420579"></a> -<a class="indexterm" name="id420586"></a> -You will need a PAM module to use winbindd with these other services. This module will be compiled in the -<code class="filename">../source/nsswitch</code> directory by invoking the command: -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>make nsswitch/pam_winbind.so</code></strong> -</pre><p> -from the <code class="filename">../source</code> directory. The <code class="filename">pam_winbind.so</code> file should be -copied to the location of your other PAM security modules. On my Red Hat system, this was the -<code class="filename">/lib/security</code> directory. On Solaris, the PAM security modules reside in -<code class="filename">/usr/lib/security</code>. -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</code></strong> -</pre><p> -</p><div class="sect4" title="Linux/FreeBSD-Specific PAM Configuration"><div class="titlepage"><div><div><h5 class="title"><a name="id420659"></a>Linux/FreeBSD-Specific PAM Configuration</h5></div></div></div><p> -<a class="indexterm" name="id420667"></a> -The <code class="filename">/etc/pam.d/samba</code> file does not need to be changed. I just left this file as it was: -</p><pre class="programlisting"> -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth -</pre><p> -<a class="indexterm" name="id420689"></a> -<a class="indexterm" name="id420696"></a> -<a class="indexterm" name="id420702"></a> -<a class="indexterm" name="id420709"></a> -<a class="indexterm" name="id420716"></a> -<a class="indexterm" name="id420723"></a> -<a class="indexterm" name="id420730"></a> -<a class="indexterm" name="id420736"></a> -<a class="indexterm" name="id420743"></a> -The other services that I modified to allow the use of Winbind as an authentication service were the normal -login on the console (or a terminal session), telnet logins, and ftp service. In order to enable these -services, you may first need to change the entries in <code class="filename">/etc/xinetd.d</code> (or -<code class="filename">/etc/inetd.conf</code>). Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this -case you need to change the lines in <code class="filename">/etc/xinetd.d/telnet</code> and -<code class="filename">/etc/xinetd.d/wu-ftp</code> from: -</p><pre class="programlisting"> - enable = no -</pre><p> -to -</p><pre class="programlisting"> - enable = yes -</pre><p> -<a class="indexterm" name="id420791"></a> -<a class="indexterm" name="id420798"></a> -<a class="indexterm" name="id420805"></a> -For ftp services to work properly, you will also need to either have individual directories for the domain -users already present on the server or change the home directory template to a general directory for all -domain users. These can be easily set using the <code class="filename">smb.conf</code> global entry <a class="link" href="smb.conf.5.html#TEMPLATEHOMEDIR" target="_top">template homedir</a>. -</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> -<a class="indexterm" name="id420837"></a> -The directory in <a class="link" href="smb.conf.5.html#TEMPLATEHOMEDIR" target="_top">template homedir</a> is not created automatically! Use pam_mkhomedir or -pre-create the directories of users to make sure users can log in on UNIX with their own home directory. -</p></div><p> -<a class="indexterm" name="id420859"></a> -<a class="indexterm" name="id420865"></a> -<a class="indexterm" name="id420872"></a> -The <code class="filename">/etc/pam.d/ftp</code> file can be changed to allow Winbind ftp access in a manner similar to -the <code class="filename">/etc/pam.d/samba</code>Samba file. My <code class="filename">/etc/pam.d/ftp</code> file was changed to look like this: -</p><pre class="programlisting"> -auth required /lib/security/pam_listfile.so item=user sense=deny \ - file=/etc/ftpusers onerr=succeed -auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_shells.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth -</pre><p> -<a class="indexterm" name="id420909"></a> -The <code class="filename">/etc/pam.d/login</code> file can be changed in nearly the same way. It now looks like this: -</p><pre class="programlisting"> -auth required /lib/security/pam_securetty.so -auth sufficient /lib/security/pam_winbind.so -auth sufficient /lib/security/pam_unix.so use_first_pass -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_nologin.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -password required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth -session optional /lib/security/pam_console.so -</pre><p> -<a class="indexterm" name="id420933"></a> -<a class="indexterm" name="id420940"></a> -<a class="indexterm" name="id420947"></a> -In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p> lines -as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p> above it to disallow -root logins over the network. I also added a </p><pre class="programlisting">sufficient /lib/security/pam_unix.so -use_first_pass</pre><p> line after the <code class="literal">winbind.so</code> line to get rid of annoying -double prompts for passwords. -</p></div><div class="sect4" title="Solaris-Specific Configuration"><div class="titlepage"><div><div><h5 class="title"><a name="id420982"></a>Solaris-Specific Configuration</h5></div></div></div><p> -<a class="indexterm" name="id420990"></a> -<a class="indexterm" name="id420996"></a> -The <code class="filename">/etc/pam.conf</code> needs to be changed. I changed this file so my Domain -users can log on both locally as well as with telnet. The following are the changes -that I made. You can customize the <code class="filename">pam.conf</code> file as per your requirements, but -be sure of those changes because in the worst case it will leave your system -nearly impossible to boot. -</p><pre class="programlisting"> -# -#ident "@(#)pam.conf 1.14 99/09/16 SMI" -# -# Copyright (c) 1996-1999, Sun Microsystems, Inc. -# All Rights Reserved. -# -# PAM configuration -# -# Authentication management -# -login auth required /usr/lib/security/pam_winbind.so -login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass -# -rlogin auth sufficient /usr/lib/security/pam_winbind.so -rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -dtlogin auth sufficient /usr/lib/security/pam_winbind.so -dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -other auth sufficient /usr/lib/security/pam_winbind.so -other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -# Account management -# -login account sufficient /usr/lib/security/pam_winbind.so -login account requisite /usr/lib/security/$ISA/pam_roles.so.1 -login account required /usr/lib/security/$ISA/pam_unix.so.1 -# -dtlogin account sufficient /usr/lib/security/pam_winbind.so -dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 -dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 -# -other account sufficient /usr/lib/security/pam_winbind.so -other account requisite /usr/lib/security/$ISA/pam_roles.so.1 -other account required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Session management -# -other session required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Password management -# -#other password sufficient /usr/lib/security/pam_winbind.so -other password required /usr/lib/security/$ISA/pam_unix.so.1 -dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Support for Kerberos V5 authentication (uncomment to use Kerberos) -# -#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -</pre><p> -<a class="indexterm" name="id421065"></a> -I also added a <em class="parameter"><code>try_first_pass</code></em> line after the <code class="filename">winbind.so</code> -line to get rid of annoying double prompts for passwords. -</p><p> -Now restart your Samba and try connecting through your application that you -configured in the pam.conf. -</p></div></div></div></div><div class="sect1" title="Conclusion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id421094"></a>Conclusion</h2></div></div></div><p> -<a class="indexterm" name="id421102"></a> -<a class="indexterm" name="id421108"></a> -<a class="indexterm" name="id421115"></a> -<a class="indexterm" name="id421121"></a> -<a class="indexterm" name="id421128"></a> -The Winbind system, through the use of the NSS, PAMs, and appropriate Microsoft RPC calls, have allowed us to -provide seamless integration of Microsoft Windows NT domain users on a UNIX system. The result is a great -reduction in the administrative cost of running a mixed UNIX and NT network. -</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id421140"></a>Common Errors</h2></div></div></div><p> - Winbind has a number of limitations in its current released version that we hope to overcome in future releases: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> - Winbind is currently only available for the Linux, Solaris, AIX, and IRIX operating systems, although - ports to other operating systems are certainly possible. For such ports to be feasible, we require the C - library of the target operating system to support the NSS and PAM systems. This is becoming more common as NSS - and PAM gain support among UNIX vendors. - </p></li><li class="listitem"><p> - The mappings of Windows NT RIDs to UNIX IDs is not made algorithmically and depends on the order in - which unmapped users or groups are seen by Winbind. It may be difficult to recover the mappings of RID to UNIX - ID if the file containing this information is corrupted or destroyed. - </p></li><li class="listitem"><p> - Currently the Winbind PAM module does not take into account possible workstation and logon time - restrictions that may be set for Windows NT users; this is instead up to the PDC to enforce. - </p></li></ul></div><div class="sect2" title="NSCD Problem Warning"><div class="titlepage"><div><div><h3 class="title"><a name="id421173"></a>NSCD Problem Warning</h3></div></div></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - Do not under any circumstances run <code class="literal">nscd</code> on any system - on which <code class="literal">winbindd</code> is running. - </p></div><p> - If <code class="literal">nscd</code> is running on the UNIX/Linux system, then - even though NSSWITCH is correctly configured, it will not be possible to resolve - domain users and groups for file and directory controls. - </p></div><div class="sect2" title="Winbind Is Not Resolving Users and Groups"><div class="titlepage"><div><div><h3 class="title"><a name="id421207"></a>Winbind Is Not Resolving Users and Groups</h3></div></div></div><p><span class="quote">“<span class="quote"> - My <code class="filename">smb.conf</code> file is correctly configured. I have specified <a class="link" href="smb.conf.5.html#IDMAPUID" target="_top">idmap uid = 12000</a>, - and <a class="link" href="smb.conf.5.html#IDMAPGID" target="_top">idmap gid = 3000-3500</a> and <code class="literal">winbind</code> is running. - When I do the following, it all works fine. - </span>”</span></p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong> -MIDEARTH\maryo -MIDEARTH\jackb -MIDEARTH\ameds -... -MIDEARTH\root - -<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong> -MIDEARTH\Domain Users -MIDEARTH\Domain Admins -MIDEARTH\Domain Guests -... -MIDEARTH\Accounts - -<code class="prompt">root# </code><strong class="userinput"><code>getent passwd</code></strong> -root:x:0:0:root:/root:/bin/bash -bin:x:1:1:bin:/bin:/bin/bash -... -maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false -</pre><p><span class="quote">“<span class="quote"> -But the following command just fails: -</span>”</span> -</p><pre class="screen"> -<code class="prompt">root# </code><strong class="userinput"><code>chown maryo a_file</code></strong> -chown: `maryo': invalid user -</pre><p> -<span class="quote">“<span class="quote"> -This is driving me nuts! What can be wrong? -</span>”</span></p><p> -Same problem as the one above. -Your system is likely running <code class="literal">nscd</code>, the name service -caching daemon. Shut it down, do not restart it! You will find your problem resolved. -Alternately, fix the operation of nscd to resolve the problem. -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. Stackable VFS modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. Advanced Network Management</td></tr></table></div></body></html> |
